S. Hrg. 103-1067
THE ADMINISTRATION'S CUPPER CHIP KEY
ESCROW ENCRYPTION PROGRAM
Y 4. J 89/2: S. HRG. 103-1067
The ftdninistratioB's Clipper Chip K. . . LiNVJ
_ PHE
SUBCOMMITTEE ON TECHNOLOGY AND THE LAW
OF THE
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED THIRD CONGRESS
SECOND SESSION
ON
THE ADMINISTRATION'S IMPLEMENTATION OF A PROGRAM TO ENABLE
THE GOVERNMENT TO DECODE FORMS OF COMMUNICATION THAT IS
ENCRYPTED WITH A COMPUTER CHIP CALLED "CLIPPER CHIP"
MAY 3, 1994
Serial No. J-103-55
Printed for the use of the Committee on thO^*ii<nary
^^
U.S. GOVERNMENT PRINTING OFFICE ^*Si;;^/>
20-186 CC WASHINGTON : 1995
For sale by the U.S. Government Printing Office
Superintendent of Documents. Congressional Sales Office, Washington, DC 20402
ISBN 0-16-047780-8
J S. Hrg. 103-1067
THE ADMINISTRATION'S CUPPER CHIP KEY
ESCROW ENCRYPTION PROGRAM
Y 4. J 89/2; S. HRG, 103-1067
Tfce ftdninistration's Clipper Chip K. . .
[NG
fHE
SUBCOMMITTEE ON TECHNOLOGY AND THE LAW
OF THE
COMMITTEE ON THE JUDICIAEY
UNITED STATES SENATE
ONE HUNDRED THIRD CONGRESS
SECOND SESSION
ON
THE ADMINISTRATION'S IMPLEMENTATION OF A PROGRAM TO ENABLE
THE GOVERNMENT TO DECODE FORMS OF COMMUNICATION THAT IS
ENCRYPTED WITH A COMPUTER CHIP CALLED "CLIPPER CHIP"
MAY 3, 1994
Serial No. J-1 03-55
Printed for the use of the Committee on t:
''%l?'^
WL^Os,
m'
2CM86CC
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 1995
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402
ISBN 0-16-047780-8
COMMITTEE ON THE JUDICIARY
JOSEPH R. BIDEN, Jr., Delaware, Chairman
EDWARD M. KENNEDY, Massachusetts ORRIN G. HATCH, Utah
HOWARD M. METZENBAUM, Ohio STROM THURMOND, South CaroUna
DENNIS DeCONCINI, Arizona ALAN K SIMPSON, Wyoming
PATRICK J. LEAHY, Vermont CHARLES E. GRASSLEY, Iowa
HOWELL HEFLIN, Alabama ARLEN SPECTER, Pennsylvania
PAUL SIMON, IlUnois HANK BROWN, Colorado
HERBERT KOHL, Wisconsin ^ WILLIAM S. COHEN, Maine
DIANNE FEINSTEIN, California LARRY PRESSLER, South Dakota
CAROL MOSELEY-BRAUN, IlUnois
Cynthia C. Hogan, Chief Counsel
Catherine M. Russell, Staff Director
Mark R. Disler, Minority Staff Director
Sharon Prost, Minority Chief Counsel
Subcommittee on Technology and the Law
PATRICK J. LEAHY, Vermont, Chairman
HERBERT KOHL, Wisconsin ARLEN SPECTER, Pennsylvania
DIANNE FEINSTEIN, California LARRY PRESSLER, South Dakota
Bruce Cohen, Chief Counsel /Staff Director
Richard Hertling, Minority Chief Counsel
(II)
CONTENTS
STATEMENTS OF COMMITTEE MEMBERS
Page
Leahy, Hon. Patrick J., U.S. Senator from the State of Vermont 1
Murray, Hon. Patty, U.S. Senator from the State of Washington 16
CHRONOLOGICAL LIST OF WITNESSES
Panel consisting of Jo Ann Harris, Assistant Attorney General, Criminal
Division, U.S. Department of Justice; and Rajmiond G. Kammer, Deputy
Director, National Institute of Standards and Technology 3
Panel consisting of Whitfield Diffie, engineer and cryptographer, Sun
Microsystems, Inc., Mountain View, CA, on behalf of the Digital Privacy
and Secxirity Working Group; and Stephen T. Walker, president, Trusted
Information Systems, Inc., Glenwood, MD 33
ALPHABETICAL LIST AND MATERIAL SUBMITTED
Diffie, Whitfield:
Testimony 33
Prepared statement 37
Harris, Jo Ann:
Testimony 3
Prepared statement 13
Kammer, Raymond G.:
Testimony 17
Prepared statement 19
Leahy, Hon. Patrick J.: Testimony 1
McConnell, Admiral J.M.:
Testimony 95
Prepared statement 103
Murray, Hon. Patty:
Testimony 16
Prepared statement 16
Walker, Stephen T.:
Testimony 42
Prepared statement 46
Attachment I: Encrjrption production identified as of Apr. 22, 1994 62
Attachment II: Compames manufacturing and/or distributing cryp-
tographic products worldwide 76
APPENDIX
Additional Submissions for the Record
Prepared statements of:
Computers and Business Equipment Manufacturers Association 107
United States Council for International Business 112
Crypto Policy Perspectives:
Composed by Susan Landau, Stephen Kent, CUnt Brooks, Scott Chamey,
Dorothy Denning, Whitfield Diffie, Anthony Lauck, Douglas Miller,
Peter Neumann, and David Sodel 114
Time/CNN poll conducted. Mar. 2-3, 1994 123
(III)
IV
Page
Questions and Answers
Questions to Jo Ann Harris from:
Senator Leahy 127
Senator Pressler 133
Senator Murray 134
Additional remarks of Jo Ann Harris 134
Questions to NIST from:
The Senate Subcommittee on Technology and the Law 138
Senator Murray 144
Senator Pressler 144
Questions to Whitfield Diffie from the Senate Subcommittee on Technology
and the Law 144
Letters fi*om Whitfield Diffie on behalf of Sun Microsystems Computer
Corp., May 23, 1994, to:
Senator Murray 147
Senator Leahy 148
Questions to Stephen T. Walker fi-om the Senate Subcommittee on Tech-
nology and the Law 148
Questions to Admiral J.M. McConnell fi*om:
The Senate Subcommittee on Technology and the Law 152
Senator Pressler 153
Senator Murray 154
THE ADMmiSTRATION'S CLIPPER CHIP KEY
ESCROW ENCRYPTION PROGRAM
TUESDAY, MAY 3, 1994
U.S. Senate,
Subcommittee on Technology and the Law,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:39 a.m. in room
G50, Dirksen Senate Office Building, Hon. Patrick J. Leahy (chair-
man of the subcommittee), presiding.
Present: Senators Specter, Pressler, and Murray [ex officio].
OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S.
SENATOR FROM THE STATE OF VERMONT
Senator Leahy. Good morning. We are holding today's hearing
for a number of reasons. The administration is implementing a con-
troversial program to enable the government to decode any tele-
phone, fax, or computer communication that is encrypted with a
special computer chip called Clipper Chip. In doing so, and I under-
stand the reasons for this, the administration has responded to the
alarm bells that were sounded by our law enforcement and intel-
ligence agencies. They are struggling to keep pace with emerging
telecommunications technologies that make it easier to encrypt
messages and evade lawful wiretaps.
Incidentally, the administration, has stressed, and I am sure will
in testimony today, the security of Clipper Chip. The price for this
security is that two Federal agencies will hold a duplicate set of
keys to decode any communication encrypted with the Clipper Chip
before any wiretap order has been issued.
Now, before American citizens and potential customers of Amer-
ican computer and telecommunications products will see this as the
solution to privacy or security concerns, they have got to be assured
that iron-clad procedures are in place. We have got to be able to
guarantee that, absent a court order, no one is going to be able to
decode their private communications except, of course, the person
they want to. Othenvise, even law-abiding users are not going to
want to use encr3rption devices with Clipper Chip.
We are going to see demonstrations of how encryption works and
we are going to hear from government witnesses, experts and crit-
ics of Clipper Chip. I would note, that a recent Time/CNN poll indi-
cated that 80 percent of the American people oppose this program,
so I would hope that the public might get a chance to hear more
about it today.
(1)
Admiral McConnell, I want to thank you for your willingness to
be here. I understand that, as we have discussed before, you have
to limit your public remarks out of concern for national security.
A second part of this hearing will be held in a secure room so that
we can hear the remainder of your remarks.
Now, our Constitution requires that we strike a balance between
an individual's right to be left alone and conduct his or her own
affairs without government interference, and our interest in a se-
cure and safe society. The Clinton administration's Clipper Chip
may be seen as a solution by the law enforcement and intelligence
agencies, but it raises a whole lot of questions for its potential
users about whether it tips that fundamental balance.
I have got to tell you I have some real questions about whether
any sophisticated criminal or terrorist organization is going to use
the one code endorsed by the U.S. Grovernment and for which U.S.
Government agents hold the decoding keys, especially when there
are a number of alternative encryption methods commercially
available, including one I read was just recently sent out over the
Internet.
I am concerned about the Clipper Chip's impact on the competi-
tiveness of our robust high-tech industries. We have got to ensure
that it does not impede American companies trying to market high-
tech products overseas. The administration's steps to reform some
export restrictions on encryption and telecommunications tech-
nology is welcome, but we have to talk about that.
I would note that we are talking today about Clipper Chip and
not about digital telephony. Many get the two mixed up, and, in
a way, some of the political questions are the same. In digital te-
lephony, the question is whether we will be able to hold up ad-
vances in communications technology until the Justice Department
can be assured that they have a way of conducting lawful wiretaps
on that.
The administration is asking the same thing with Clipper Chip:
That we not be allowed to develop and export encryption devices
until the government is given the keys to be able to decode
encrjrpted messages under appropriate standards and court orders.
My concern, I have got to tell you frankly, is what happens if we
say that the Federal Government is empowered to sign off on tech-
nology and technology may not go forward until they do. It bothers
me very much because my experience with the Federal Govern-
ment has been that in the areas of computers and telecommuni-
cations the Federal Government has carefully and assiduously
stayed at least 10 to 20 years behind the curve on just about every-
thing.
You can make a better and clearer telephone call from the Wash-
ington-to-New York shuttle than you can from Air Force 1, with all
its expensive equipment. Most telephone systems of the Federal
Government, as installed, have been antiquated. The only distinc-
tion is they usually pay far more than they would if they just
bought it off the shelf You see the FAA struggling with a computer
system where they have to buy tubes from eastern European coun-
tries because nobody with advanced technology even makes the
dam things anymore.
If this is the same government that will sign off on when we go
forward, I can see the United States being in the backwash of com-
Euter and telecommunications technology. I don't want to see that
appen. I suspect that none of the witnesses from the government
want to see that happen either.
So we have two problems, really. We have the problem of those
who are concerned about what Clipper Chip might do to our tech-
nological competitiveness in this country and, of course, we have
the further problem, as pointed out by the 80 percent of the people
who responded that way in the Time/CNN poll, of privacy.
The information superhighway holds the promise of an informa-
tion explosion that is going to enhance our marketplace of ideas,
bringing untold benefits to our citizens. But this promise will be an
empty one unless people are sure that when they go online or talk
on the phone they are not forfeiting important fundamental rights,
like their right to privacy.
New technologies present enormous opportunities for Americans,
but we have got to strive to safeguard our privacy if these tech-
nologies are to prosper in this information age. Otherwise, in the
service of law enforcement and intelligence needs, we are going to
dampen any enthusiasm Americans may have for taking advantage
of the new technology.
I come from a law enforcement background. I spent 8 years on
the Senate Intelligence Committee and continue to be involved
with intelligence agencies through my Appropriations Committee
hat. I understand the tremendous problems, especially with orga-
nized crime, that law enforcement faces, and the tremendous prob-
lems, especially with terrorism and the potential threat of terror-
ism, that our intelligence agencies face. But I also know that this
country has to survive economically, and one of the ways we do so
is the fact that we have been able to have certain technological ad-
vances. I don't want that to change.
We will go first, Ms. Harris, to you, and then to Mr. Kammer,
who is going to do a demonstration. Ms. Harris is Assistant Attor-
ney General of the Criminal Division at the Department of Justice,
and I am delighted you are here.
PANEL CONSISTING OF JO ANN HARRIS, ASSISTANT ATTOR-
NEY GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF
JUSTICE; AND RAYMOND G. KAMMER, DEPUTY DIRECTOR,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
STATEMENT OF JO ANN HARRIS
Ms. Harris. Thank you, Mr. Chairman, and thank you for the
opportunity to talk with you about the key escrow encryption con-
cept. In particular, I want to talk about balancing the public's right
to the best protection that technology can provide for legitimate
communications — balancing that with the public's right to be pro-
tected from criminals and terrorists, and I want to talk about how
we can maintain the balance in this age when technology is, as you
have noted, exploding all around us.
As I know you understand, many groups engaged in the most se-
rious and violent criminal conduct, including drug traffickers and
organized crime groups, major street gangs and terrorist groups.
must have a means of communicating quickly, over distance, with
each other. They rely on telephonic communications to conduct
their illicit activities, and at this time the law permits law enforce-
ment to obtain court orders to tap into these criminal conversations
upon, of course, a stringent showing of necessity and a showing of
probable cause that the communications are criminal in nature.
Even though we use that power very sparingly, our ability to
hear and, importantly, to understand these conversations has been
crucial to effective law enforcement. Evidence from electronic sur-
veillance has resulted in the convictions of, we estimate, 22,000 fel-
ons in the last decade.
As a Federal trial lawyer specializing in criminal cases, I can tell
you from plenty of first-hand experience and knowledge that some
of the most powerful evidence I have ever seen or heard in court
against these criminals are recordings of their own words directing
their criminal enterprises in a way that a jury can understand.
Further, I know from experience recently that authorized wire-
taps have not only caught and convicted criminals, they have saved
lives, including kidnaping victims and targets of terrorist activities.
For example, in four separate instances in the very recent past, law
enforcement has obtained critical information about the identity of
kidnapers who were threatening immediate harm to hostages. Law
enforcement has learned the location of the hostages and was able
to move-in and rescue the hostages before harm was done. These
are fast-moving scenarios where our ability to get up on a wiretap
and understand the content of the conversations in realtime is ab-
solutely critical.
With court-authorized interception of telephone conversations, we
have penetrated the highest levels of mob activity, narcotics traf-
ficking. We have brought down whole organizations. Cases come to
mind that everyone, I think, has heard of. The Pizza Connection
case, the Commission case, the Hererra-Botrega case involving the
Call cartel, are just examples of the power of the wiretap as a law
enforcement tool, and it is not limited to just mobs and drugs. Op-
eration III Wind, for example, was a Defense procurement fraud
case in which wiretaps led to 45 search warrants, 60 convictions,
hundreds of millions of dollars recovered in fines.
In addition, wiretaps have helped us prosecute child pornography
cases, murder-for-hire schemes. They have permitted us to make
seizures of tons of illicit drugs, helped us follow and seize the illicit
millions of dollars made by traffickers, without compromising ongo-
ing investigations.
But, Mr. Chairman, the ability to intercept these communica-
tions is only the first step. We must have the ability to understand
the content of these lawfully authorized wiretaps in order to act.
If we intercept illicit communications in a foreign language, we
need to bring in a translator who knows the language. If the lan-
guage is guarded, as it frequently is in these intercepted criminal
conversations, we need to bring in an expert to tell us what it
means.
Critical to my point here is if intercepted criminal conversations
are encrypted, we need the ability to cut through the encryption,
just as we need a translator to cut through the foreign language.
If we can't cut through the encryption in the coming age of tech-
nology, law enforcement efforts will be seriously hampered. This
ability to understand the words that we are lawfully intercepting
pursuant to court order is all we seek with the Clipper Chip, no
less and no more.
Mr. Chairman, the plain fact is, as you have noted, that high-
quality voice encryption in an affordable, portable, easy to use form
will soon be widely available on the market. We anticipate that
many legitimate users will acquire these and similar devices with
the perfectly legitimate goal of protecting their personal and busi-
ness confidential information. We worry, however, that such de-
vices will also be used by criminal organizations to shield their ille-
gal enterprises.
Mr. Chairman, last year, as you know, the Clinton administra-
tion, looking ahead to the future, trying to stay ahead of the curve,
sought to address both of these important issues — the protection of
legitimate communications without losing our ability to intercept
criminal communications with key escrow encryption.
Key escrow encryption has two fundamental features. First, on
the encrjrption side, to protect communications it uses a very strong
algorithm, so strong that it can only be decrypted with a key that
is unique to each individual key escrow encryption chip. Second, on
the decryption side, to ensure the public of the privacy afforded by
the key escrow encrjrption, this unique key is split into two compo-
nents, each held by one of two independent entities serving as es-
crow agents. Those two entities are not permitted to release key
components except to government agencies and, importantly, only
to government agencies when they are already authorized by law
to intercept the communications.
Mr. Chairman, we have worked to develop procedures that strike
the right balance between the rigorous protection of the privacy of
communications and the need in critical moments to be able to
decrypt such communications in order to protect lives and preserve
the public safety.
Clipper Chip key escrow encryption provides a combination of
procedural requirements, technical safeguards and audit capabili-
ties which will assure the integrity of the Key Escrow Encryption
System without frustrating the ability of government agencies to
understand encrypted communications in the course of lawful wire-
taps.
Senator Leahy. What happens if it is misused? Is there any re-
course by somebody whose communication was intercepted? Sup-
pose it was misused. We always assume law enforcement does
these things according to court order, but we know that there has
been misuse of taps before. What if that happened under this? Is
there any way we can go back against the person? I understand the
Attorney General has suggested that the escrow agents be immune
from liability for mishandling the keys. Is that a good idea?
Ms. Harris. If I may, Mr. Chairman, first address the unlikeli-
hood of that ever happening, given the protections built into the
system
Senator Leahy. Let us assume the unlikelihood for the purposes
of my question. Assume the unlikelihood that it were to happen;
unlikely things sometimes do. After 20 years in this branch of the
Federal Government, I have seen an awful lot of unlikely things
happen. I have seen Presidents declare that no money was diverted
to the contras. I have seen statements before the Persian Gulf War
that were false, and the American people spent $1.9 billion on for-
eign aid to Saddam Hussein as a result of misstatements to the
American public.
I mean, things do happen, so let us just assume that one time
out of a gazillion something went wrong. Is the Attorney Greneral
right in sa)dng that the escrow agents should be immune from li-
ability for mishandling the keys?
Ms. Harris. Mr. Chairman, I am not sure that the Attorney Gen-
eral has made such a statement with respect to immunity.
Senator Leahy. What she said was the procedures do not create
and are not intended to create any substantive rights for individ-
uals intercepted through electronic surveillance.
Ms. Harris. All right. They are not intended to create any sub-
stantive rights for people intercepted any more than the present
wiretap laws are intended to create substantive rights for people
who are unlawfully intercepted. We are building in such protec-
tions that I find it unlikely this will happen, but let me say this,
Mr. Chairman. It is a violation of Federal law right now illicitly to
wiretap. We take that law very seriously. We will enforce that law.
Senator Leahy. Would it be a violation of the same Federal law
illicitly to use the Clipper chip keys?
Ms. Harris. I would have to look at it more carefully.
Senator LEAHY. Should it be?
Ms. Harris. Sorry?
Senator Leahy. Would you see any problem in applying the same
law to the misuse of Clipper chip keys as we apply to the misuse
of wiretap today?
Ms. Harris. If, in fact, in the course of an illicit electronic sur-
veillance, somehow a person got ahold of both aspects of the Clip-
per Chip, had the decryption device so that things were fed into it
and somehow they were able to break into this system, it is unlaw-
ful to participate in illicit electronic surveillance. It depends on the
facts of the case beyond that, Mr. Chairman, but I believe that if
that occurs it is going to violate the law.
Senator Leahy. Ms. Harris, a concern about Clipper Chip is that
the government has the keys to that. But there are other
encr3T)tion systems that are pretty good now, are there not, that
you as the head of the Criminal Division are faced with?
Ms. Harris. My understanding is that the Clipper Chip is so
much more powerful than anything available at this time that the
Clipper Chip is a spectacular way of encrypting conversations.
There are certainly other devices on the market now.
Senator Leahy. What about Pretty Good Privacy, PGP? There
was an article about that in the Wall Street Journal last week. And
the Wall Street Journal, at least on their news items, are usually
pretty accurate. Their editorials are written on a different planet.
[Laughter.]
But in their article, they suggest if I recollect it correctly, that
PGP is just about impossible to break. Is that right?
Ms. Harris. Well, the interesting thing about that particular de-
vice, as I understand it, is that it is software in a computer and
does not reach phone bands; that is, voice bands, which is what
Clipper Chip is all about. I mean, what Clipper Chip is involved
with is the encryption and decryption of the voice band.
Senator Leahy. But that would be fairly easy to do. I mean, if
much of our voice communications are now being digitized anyway,
wouldn't it be fairly easy to run this through a computer program
if somebody wanted to? If you can build it for data transmission in
Pretty Good Privacy, wouldn't it be fairly easy to do it, or assume
that that is going to be done within a relatively short time for voice
transmission?
Ms. Harris. My understanding is that it is ever so much more
complicated to do this with voice band, but I defer to the experts
who are with me on the technology here.
Senator Leahy. Well, let me ask you this question. I read an ar-
ticle about a convicted pedophile in California who used Pretty
Good Privacy to encrypt his computer diary, which frustrated the
police, who thought the computer diary might contain clues about
a child pornography ring, something that I think all of us would
agree that if law enforcement could find out about such a thing, we
would want them to be able to take action.
Have you seen many such instances of encrypted communica-
tions?
Ms. Harris. Well, let me again address the child pornography
case in California, which I think is the Wall Street Journal article,
and just underline that that is computer software and that is not
what we are talking about here. What I am talking about is our
ability to understand intercepted voice communications at a time
when we already have the court orders to intercept it, and
Senator Leahy. Well, let us
Ms. Harris. I am sorry, Mr. Chairman.
Senator Leahy. No, no; go ahead.
Ms. Harris. I was going to then answer your question. The fact
is that at this particular point in time law enforcement has not
been frustrated by, or significantly frustrated by voice band
encryption. My point is, and you certainly underlined it in your re-
marks, Mr. Chairman, that we are trying to anticipate and get
ahead of the curve on this particular subject because we under-
stand the significance to law enforcement if, in fact, encryption de-
vices as powerful as Clipper Chip are out there without our ability,
under very circumscribed circumstances, to intercept and under-
stand criminal conversations.
Senator Leahy. We are going to demonstrate for you here a
laptop computer with a computer software that encrypts voice com-
munications. I appreciate what you said about the administration
wanting to be ahead of the curve and I think in a lot of these com-
munications and computer matters this administration has worked
to get ahead of the curve. But don't think that Clipper Chip is just
going to be used in normal straight voice communications because
people can put these encryption devices through their computers
and run it that way.
What I would ask is, about 900 wiretaps are conducted annually?
Ms. Harris. I think the figure in 1992, which is the last time we
have figures, is 919.
Senator Leahy. Did many of them involve encrypted conversa-
tions?
8
Ms. Harris. The short answer is no. Our concern is clear, Mr.
Chairman, that if these devices explode on the market, as we be-
lieve they will, we will begin to be truly frustrated and unable to
read criminal conversations.
Senator Leahy. We are talking about the Clipper Chip. Why
would a criminal organization or a terrorist organization buy some-
thing that has Clipper Chip in it for their encryption when they
can buy other non-govemment-authorized systems that are also
going to be extraordinarily difficult to crack, and perhaps impos-
sible?
Ms. Harris. There are two answers to that, Mr. Chairman, and
the first is — and this is just so true. I mean, why do they use tele-
phones now? I mean, we are able to intercept and obtain invaluable
evidence with court-authorized wiretaps because those kinds of or-
ganizations, knowing that we tap, continue to use the telephones.
I think the second answer to your question is that this is not
easy, but our sense is that the Clipper Chip technology is so far
advanced than anything else on the market or anything coming
down the road that it will be regarded both by legitimate people
and by illicit criminals as so powerful an encrj^jtion device that
they will purchase it, that it will be something that they will want
to use.
Senator Leahy. But if I was sitting up at my farm in Vermont
and running an international heroin, gun smuggling, and counter-
feit Ben and Jerry's organization, why wouldn't I just buy Pretty
Good Privacy, PGP, and just do it all by computer and fax? I mean
that seriously. Why wouldn't I just do that and say the heck with
you, and I could run it on the Internet?
Ms. Harris. Because right now, and I think for the foreseeable
future, the Clipper Chip is such a more powerful encryption device
that I would want, if I were you, to buy the best, and you, being
quite confident that the Feds would never catch up with you, would
want the best as well.
Senator Leahy. But that is my point. Suppose I really am con-
fident they are not going to catch me and I am really doing some-
thing very serious. Say I am in a rural location in the United
States and I am running an international drug ring, something
where there is enormous amounts of money so I can do whatever
I want and buy whatever I want. Why would I buy something with
Clipper Chip in it that comes, in effect, with a sign on it saying
the Federal Government holds the keys to decipher this?
Ms. Harris. Let me again respond in two ways. First of all, you
also will want to be making encrypted communications with legiti-
mate organizations, with banks, with other legitimate organiza-
tions, to send your messages, to move your illicit money out of the
country, to do a number of things. If the Clipper Chip technology
is purchased by legitimate people in this country because it is the
best technology, then you — shall we change our analogy — ^then the
criminal who is sitting up on a farm in Vermont is going to need
to communicate with those devices that the legitimate
Senator Leahy. If he wants to move money from the Chase Man-
hattan Bank to the Zurich National Bank, what you are saying is
there he would have to — ^because they were using Clipper Chip, he
would have to use Clipper Chip?
Ms. Harris. Let us go to III Wind. I mean, to the extent that we
have a defense procurement fraud case and we have people trying
to communicate with defense organizations and with legitimate
companies, if you believe — that is, if the drug trafficker up in Ver-
mont believes that the only way that he can interact with other
independent entities with encryption devices is to also buy Clipper
Chip, he is going to do it.
I suppose the second part of the answer is that to the extent that
this powerful encryption algorithm is one which manufacturers de-
cide to market because it is the very best, then I suppose that the
market for lesser devices is not going to be that great. It is not
going to be cost effective to produce those kinds of encryption de-
vices.
Senator Leahy. Of course, this also assumes that these legiti-
mate commercial organizations outside the United States are going
to want to use some kind of a standard for encryption that they
know the United States hold the keys, as compared to trying to
find some other standard created by some other country for which
the United States would not hold the key. We would see people in
this country buying the other country's technology. That is at least
a possibility?
Ms. Harris. Anything is possible. These are not easy issues, and
I will absolutely say that. There is something, though, that I think
needs be said perhaps not exactly in that context, but I think I
need to underline time and again, from our perspective what we
are talking about is already court-authorized interceptions of com-
munications, and that all Clipper Chip does — after a court has al-
ready authorized the interception of the communication, all that is
happening here is that we are getting the ability to understand the
content of those legitimately intercepted communications.
Senator Leahy. Well, as I understand it, the escrow agents re-
lease the keys when they get two faxes, one from the prosecutor
saying a wiretap order exists, and one from the law enforcement
agency requesting the keys for a particular chip LD. number for
which they say they have a wiretap order. Now, the escrow agents
themselves never see this court order, is that correct?
Ms. Harris. It is correct that the escrow agents never see it
themselves, and let me explain why. Certainly, they have to certify
that there is a court order. Incidentally, the request — let us put it
this way: If DEA has a court-authorized wiretap up intercepting
the kinds of communications that I have already talked about that
are important and very criminal in nature, and if they hit some
white noise that sounds as if it is encrypted, law enforcement has
a decrypt device through which it can run a tape or the realtime
noise through and that little box will tell DEA that this is a Clip-
per chip-encrypted conversation, and it will give DEA an encoded
number coming off the chip.
That DEA agent and his supervisors will then communicate to
each of the independent escrow agents and certify that there is a
court order already in place authorizing them to intercept this com-
munication; that it is a key escrow-encrypted conversation; that
here is the number of the chip. This is going to the independent
escrow agents, and the court order will terminate — that is, our abil-
ity to intercept will terminate at such-and-such a date. Please com-
10
municate back to our decrypt device the two pieces of the key that
will enable our decrypt device to decode the conversation so that
we may get it in realtime.
Senator Leahy. You could get it in realtime, then?
Ms. Harris. We need it in realtime.
Senator Leahy. Then how do those keys then get returned to the
escrow agent?
Ms. Harris. My understanding is that right now with the proto-
type, we will have to manually destruct the keys that are in the
encrypted box at the time that our authorization to intercept the
communications ends pursuant to court order. As this develops, Mr.
Chairman, and we are working through it right now, as I under-
stand it, there will be a way that they will self-destruct at the par-
ticular time at the end of the court-ordered interceptions.
Senator Leahy. So nothing gets returned to the escrow agents?
Ms. Harris. That is correct. Now, I should say that there are,
as you know, in our procedures substantial auditing requirements,
substantial recordkeeping requirements. I should have said as well
that after the DEA agent makes his faxed request to both of the
independent escrow agents and the process starts back in realtime,
it is required that the Federal prosecutor in charge of this case con-
tact the key escrow agents and confirm all of the certification that
has been put forth by the agent.
Senator Leahy. Now, this decryption device, the one that at least
puts the first trigger up to say your white noise is a Clipper Chip,
and number whatever
Ms. Harris. That is right.
Senator Leahy. Have those devices been made yet?
Ms. Harris. There is one.
Senator Leahy. I mean, how many of these are we going to have?
Are you going to have to have them all over the country?
Ms. Harris. Well, I think that we must — and we are very re-
spectful of this — we must keep very, very careful control of the
number of encryption devices. They are the kinds of items that I
don't think anyone would want spread all over the country.
Senator Leahy. Well, say, you have got a case in Tucson, AZ, and
you have got one in Burlington, VT, and Abilene, KS. I mean, these
are geographically kind of spread around. In each one of these
areas, one might assume that law enforcement, at least for the ru-
dimentary type of wiretaps, have equipment to do that, but one
decrypt device might not do them any good.
Ms. Harris. I mean, we are working through these issues right
now and are very, very sensitive to the fact that we do not want
proliferation of these decrypt devices. I believe that the technology
is such, or at least we are working on it, where you could transmit
the white noise to the box in a centrally located place and get the
answer.
Senator Leahy. How big is this decryption device going to be? I
assume it is something relatively small.
Ms. Harris. It is not huge. When I said small box to my staff,
they said, well, it is not small.
Senator Leahy. Bigger than a bread box, smaller than a
Ms. Harris. I think it is about the size of — I was just getting
ready to say, and my able staff says, it is a PC. It is that size.
11
Senator Leahy. Do you and the administration see any need for
new legislation to implement your Clipper Chip proposal?
Ms. Harris. The short answer is no.
Senator Leahy. So you are ready to just go ahead, no matter
what we might think here?
Ms. ELarris. Well, we always very, very carefully consider what
is said here.
Senator Leahy, Yes, yes, yes. [Laughter.]
Ms. Harris. But let me go further, Mr. Chairman. Again, if you
look at it the way that I have described, what we are talking about
is simply a more sophisticated way to understand more sophisti-
cated coding of criminal conversations.
Senator Leahy. Wearing my hat from another committee, there
is one part, though, you may have some interest in talking to us
about. How much is this thing going to cost?
Ms. Harris. I think you know that to the extent that the Depart-
ment has already invested in these devices for law enforcement
Senator Leahy. No, but just running the escrow system is going
to cost you millions of dollars a year, won't it?
Ms. Harris. I don't have easy estimates on that, Mr. Chairman.
Senator Leahy. Wearing the other hat from the Appropriations
Committee, we may be looking at some legislation. Do you think
that as part of the reporting requirements, the Justice Department
should give Congress a full accounting of where these decrjrpt de-
vices are? I mean, these things are set up so they can unlock a
coded serial number. They can get direct transmission of the keys
from the escrow agents. They can use the keys to decrypt clipper-
encrypted conversations. Do you think there should be any report-
ing requirement of where they are?
Ms. Harris. Well, I mean certainly there should be a reporting
requirement, and what we intend to do is two things, really. We
intend to report to the Administrative Office of U.S. Courts where
we already report all of our court-authorized wiretaps. We will cer-
tainly report there that a wiretap was encrypted and decrypted
with key escrow encryption.
Also, my understanding is that to the extent that the intelligence
committees are giving oversight that the information would be
made available to them. We assume the Administrative Office of
U.S. Courts is going to report to Congress, as it does every year.
Senator Leahy. If you say there is no legislation required, I
would assume that the Justice Department at least anticipates reg-
ulations being promulgated?
Ms. Harris. What we have done, and I will be happy to go
through it in more detail, is we have promulgated internal regula-
tions that are designed to assure that the integrity of this system
will be protected. What it does is internally guide us in terms of
the process by which our agents go to get the keys, certify the proc-
ess by which the keys come back, the process by which we audit
very carefully. We plan to audit every single encryption instance.
Senator Leahy. Would the AG be able to change the set of es-
crow agents after the initial selection?
Ms. Harris. It is not
Senator Leahy. Suppose you have got an escrow agent who says,
wait a minute, I think this is wrong, I don't think that this key
12
should be released. Could the Attorney General just say, well, then
we are going to get a different escrow agent?
Ms. Harris. Well, let me say a couple of things. One, we are still
open and looking at the options with respect to escrow agents. But,
two, it is really very important that there be some continuity once
the escrow agents are in place. It is not contemplated that, with
the appropriate certification, the escrow agent, other than looking
at the certification and saying this is not enough, this is wrong —
I don't think that you will find the Attorney General wanting to
change escrow agents simply because one said no.
Senator Leahy. Well, stranger things have happened. I worry
about the security of the system. If I understand this correctly,
every Clipper Chip has the same family key programmed into it.
Law enforcement uses the family key to decode the intercepted se-
rial number which the targeted chip sends out, I guess, at the be-
ginning of every conversation. If they have that, they can get the
government's duplicate set of decoding keys from the escrow agents
following the normal procedure.
If they have got the decrypt device, the initial step, at least, can
be done by anybody who has got one of the devices. I mean, let us
assume that it has happened on occasion that illegal wiretaps have
been done even by law enforcement. If they have got the initial
decrypt device, they can at least have the family key or the num-
ber.
Now, they can't get the decoding keys unless the escrow agents
give them to them. Of course, without drawing this out too far,
somebody had to make the decoding keys for the escrow agents.
Somewhere, they are out there — that is what I am getting to, or
the potential is out there.
Ms. Harris. But the potential is so minuscule. I mean, the pro-
tections that are built into this system to give everyone the assur-
ance that no single person can illicitly get into this system. I must
say with respect to the family codes, even if you got that, because
those are coded, you wouldn't be able to get the number to send
off to the escrow agents, as I understand it.
I mean, we are talking about independent escrow agents. We are
talking about a requirement that a prosecutor go back to the es-
crow agents and confirm all the certifications. I mean, we built it
in both mechanically and humanly that there are checks and
doublechecks and doublechecks.
Senator Leahy. If you have the decrypt device, even if you don't
know what I am saying, you at least know who I am because you
know the unique I.D. number of the device I am calling from.
Ms. Harris. I don't think I would know where you were calling
from, even. I would know a number, period. I would not be able to
track the number.
Senator Leahy. We have several ongoing reviews; let me make
sure I have got them right. We have got a White House interagency
working group, the NIST, and the National Research Council of the
National Academy of Sciences. You haven't fully implemented the
key escrow system or the decrypt device, to see how this works. Are
we moving ahead of ourselves in this? Having expressed the earlier
concern about the Federal Government always trying to stay care-
13
fully and traditionally behind the curve, are we getting a little bit
ahead of the curve on this one?
Ms. Haeris. Let me put it this way. The studies that you have
alluded to, Mr. Chairman — the White House policy study is com-
pleted, and although one continues to study these matters and will
continue to study them for as long as they are important, that is
completed. The NIST part of this, as I understand it, although it
is probably better addressed to Mr. Kammer, is completed. I don't
know about the last study that you have alluded to, but I think we
are moving at the appropriate speed. And, ves, speaking of the
technology, we are attempting to stay ahead of the curve.
Senator Leahy. If we allow American companies to export Clip-
per Chip to non-U.S. users, say a non-U.S. user in France, what
happens when the French law enforcement or intelligence commu-
nity calls up and says, "by the way, we are kind of worried about
Harris Ltd. that has just set up in the Bordeaux region. We don't
think they are just selling wine. Can we have the keys to tap in?"
Ms. Harris. I think that we must very, very carefully control
this technology and the ability to use it. As I say, we have tried
to put in place procedures that will assure that. I think, with re-
spect to foreign law enforcement requests, a couple of things. One,
I think we have to take it on a case-by-case basis, and I think that
even on a case-by-case basis I think we have to consider very care-
fully keeping the technology and the hardware, for that matter,
with us and just go ahead and do the translation for them; that is,
give them the words, the decrypted words, but there is no reason
for us to go beyond that.
[The prepared statement of Jo Ann Harris follows:]
Prepared Statement of Jo Ann Harris
Mr. Chairman members of the Subcommittee, I am pleased to be able to appear
before you today to talk about a matter vital both to the protection of privacy and
to the preservation of public safety.
As this Subcommittee understands quite well, many groups engaged in the most
serious and violent criminal conduct — including drug traffickers, organized crime
groups, and major street gangs — rely on electronic communications to conduct their
iUicit activities. Without the continued ability to conduct lawfully authorized wire-
taps, law enforcement at the Federal, State, and local level will be seriously ham-
pered in its ability to protect society from the depredations of these criminals.
Even though it is used sparingly, electronic surveillance has been crucial to effec-
tive law enforcement. Evidence from electronic surveillance has resulted in the con-
victions of more than 22,000 felons over the past decade. Indeed, without wiretaps,
some extremely significant criminal activity could not be detected or properly inves-
tigated— much less successfully prosecuted. Wiretaps are not a routine investigative
technique and are only used when other techniques have proven, or are likely to
be, unsuccessful — often because those other techniques pose too great a risk to po-
hce or cooperating individuals. Wiretaps permit law enforcement authorities to pen-
etrate closely controlled but highly sophisticated enterprises that might otherwise
engage in wholesale criminal activity with impunity. Society cannot afford to lose
the protection wiretaps afford it.
At the same time, technology is making it increasingly possible for individuals
and private enterprise to protect the confidentiality of personal and proprietary in-
formation through the use of encryption — the electronic "scrambUng" of communica-
tions. The market now offers high-quality voice encryption in an affordable, port-
able, easy-to-use form. We anticipate that many legitimate users will acquire l5iese
and similar devices to protect their confidential information; we worry, however,
that such devices will also be used by criminal organizations to shield their illegal
enterprises.
As you know, Mr. Chairman, last year the Clinton Administration sought to ad-
dress both these important issues by announcing the availability of key-escrow
14
encryption (sometimes referred to as the "Clipper Chip"). Key-escrow encryption has
two fundamental features. First, it uses an extremely strong algorithm, one 16 mil-
lion times stronger than the Data Encryption Standard — DES — and so strong that
law enforcement can only decrypt it with a kev that is unique to each individual
key-escrow encryption chip. Second, to assure the public of the privacy afforded by
key-escrow encryption, that unique key is spUt into two components that are held
by two independent entities serving as escrow agents. Those two entities may re-
lease key components only to government agencies when needed for lawftdly author-
ized interceptions.
As the Administration has made clear on a number of occasions, the key-escrow
encryption initiative is a voluntary one; we have absolutely no intention of mandat-
ing private use of a particular kind of cryptography, nor of criminalizing the private
use of certain kinds of cryptography. We are confident, however, of the quality and
strength of key-escrow encryption as embodied in this chip, and we believe it will
become increasingly attractive to the private sector as an excellent, easy-to-use
method of protecting sensitive personal and business information.
The Chnton Administration has been farsighted in seeing the advent of high-qual-
ity, user-friendly encryption products and the implications of such products. It has
also been prepared to act early, when markets are still developing and when both
consumers and manufacturers are seeking strong, reliable cryptography for use in
mass-market products.
We believe, therefore, Mr. Chairman, that, as one major equipment manufacturer
has already done, others will respond to their customers' needs for extremely strong
encryption by marketing key escrow-equipped products. And as that occurs, we look
for a gravitation of the market to key-escrow encryption, based on both a need for
interoperability and a recognition of its inherent quality. Even many of those who
may desire encryption to mask illicit activities will choose key-escrow encryption be-
cause of its availability, its ease of use, and its interoperability with equipment used
by legitimate enterprises. , -i
Mr. Chairman, let me speak about the key-escrow system in a bit more detail,
beginning with the selection of the t'wo entities that are serving as key escrow
agents. In selecting escrow agents, we looked for a number of important qualifica-
tions. Among other things, the candidates needed to:
• Be experienced in handling sensitive materials;
• Be familiar with communications and computer issues;
• Be able to respond quickly, and around the clock, when government agencies
need to have encryption keys issued to them; and
• Be generally regarded by the public as both reliable and effective.
Especially to get the system up and running, we believed it made sense to look
to agencies of the Executive branch. In light of that consideration and the criteria
I have just mentioned, the Commerce Department's National Institute of Standards
and Technology (NIST) and the Treasury Department's Automated Systems Division
appeared to be the two best candidates; and they have been so designated.
NIST, as you are well aware, has long experience in matters relating to protection
of sensitive, unclassified information and, indeed, has been pivotal in the develop-
ment of the key-escrow encryption initiative. Treasury's Automated Systems Divi-
sion—which is not part of any of the Treasury law enforcement agencies— is a 24-
hour a day operation that is well experienced in handling matters of the utmost sen-
sitivity. , , .
As you know, on February 4, 1994, the Administration made a number ot an-
nouncements regarding encryption policy generally, and key-escrow encryption spe-
cifically. Among those announcements were the designation of the escrow agents
and the publication of the procedures under which the escrow agents would be per-
mitted to release key components:
• To Federal law enforcement authorities for use in wiretaps under Title III of
the Omnibus Crime Control and Safe Streets Act of 1968, as amended (Title
III); \
• To State or local law enforcement authorities for use in wiretaps under state
statutes; and
• To Federal agencies for use in wiretaps under the Foreign Intelligence Surveil-
lance Act (EISA).
Let me describe for you the kinds of circumstances under which escrowed key
components will be made available to government agencies when needed in conjunc-
tion with lawfully authorized wiretaps.
15
Mr. Chairman, as this Subcommittee well understands, Federal laws clearly lay
out the circumstances in which wiretaps may be conducted, consistent with the Con-
stitution. Wiretaps not lawfully authorized are criminal offenses — offenses that we
take very seriously. Moreover, as the Subcommittee is aware. Federal law enforce-
ment agencies may conduct wiretaps only for the most serious kinds of offenses and
do so only after an extremely careful internal review of the need for, and the propri-
ety of, a wiretap. That review process requires not only careful screening within the
particular investigative agency — at both the local and headquarters level — but a
thorough evaluation by a supervising prosecutor, usually an Assistant U.S. Attorney
in the district in which the wiretap will be conducted. At each of those levels, there
is a close review of the proposal to ensure that there is probable cause for the wire-
tap, that the case justifies use of this important technique, and that alternative
techniques are not satisfactory. Finally, no Federal Title III application may proceed
without approval at a senior level within the Department of Justice. I would also
note that no FISA application may proceed without the approval of the Attorney
General.
And, Mr. Chairman, that leads to the most important point which is that, whether
for criminal or foreign intelligence purposes, the statutes require court authorization
for wiretaps, even in the extremely rare cases in which they have begun under an
emergency authorization. In a criminal case, the Government must show probable
cause to believe that the telephone targeted is being used in furtherance of a specific
serious Federal criminal offense. In a FISA case, the Government must show prob-
able cause to believe that the target of the surveillance is a foreign power or an
agent of a foreign power and that the facility or place, such as the telephone, is
being used by a foreign power or agent of a foreign power.
When we talk about access to escrowed components, therefore, we are talking
about the ability of government agencies — Federal, State, or local — to decrypt com-
munications when they are already lawfully authorized to intercept those commu-
nications as part of a wiretap. We are not talking about any change in the protec-
tion of the privacy of telecommunications. Nor are we talking about any additional
authorization from the courts. The applicable statutes already permit government
agencies that are authorized to conduct wiretaps to acquire the content of the inter-
cepted communications and, if necessary, to translate or decode the communications
as part of that process.
Let us assume, then, that government agents — DEA, for the sake of argument —
are conducting a court-ordered wiretap and encounter unintelligible communications
they think may be key-escrow encryption. What do they do? First, they can run the
communications — live or on tape — through a so-called decrypt processor. The
decrypt processor — a specially programmed and equipped personal computer — can
tell the agents whether key-escrow encryption is being used and, if so, the unique
ID number of the particular chip. This last point is critical, of course, because each
chip has its own truly unique key; without knowing the ID number of the chip, the
law enforcement agency cannot determine which key components to request.
Armed, however, with that information, they can submit a key component request
to the two escrow agents, NIST and Treasury. In that request, they 11 be required,
among other things, to:
(1) Identify themselves and the agency the/re with;
(2) Certify that they're conducting a lawful wiretap;
(3) Specify the source of the wiretap authority and its termination date;
and
(4) Provide the chip ID number.
To provide greater reassurance, the certification by the DEA agents must be fol-
lowed by a communication from a Federal government attorney associated with the
matter, confirming that a wiretap has been lawfully authorized.
When the escrow agents receive a properly submitted request, they transmit their
respective key components to the requesting agency; the components are combined
within the decrypt processor which, only then, is able to decrypt communications
using the particiUar chip. At the end of the authorized wiretap period, the decrypt
processor's abiUty to decrjrpt communications using that particular chip will likewise
terminate, and the escrow agents are to be so informed.
Those, in skeletal form, are the procedures for release of key components to Fed-
eral law enforcement agencies for criminal wiretaps. Similar procedures will apply
to the release of key components for use in wiretaps authorized under State stat-
utes. The most notable difference is that, for release to State or local law enforce-
ment agencies, the request must come from the principal prosecuting attorney of the
State or political subdivision involved — normally, the State Attorney General or the
16
District Attorney of the particular county. Finally, in the case of wiretaps under
FISA, the request will be made by a Federal agency and will be subject to follow-
up confirmation by the Department's Office of Intelligence Policy and Review.
The Administration recognizes that public confidence in this system is of para-
mount concern. The persons at NIST and Treasury who are responsible for the
maintenance and, when appropriate, the release of key components are extremely
serious about ensuring that tney release key components only under proper cir-
cumstances. Meticulous procedures for the programming of the chips, and for the
storage and handling of the keys, are being developed and refined. Even for tests
of the system— decrypting communications over government-owned devices — there
will be a fiill simulation of the request and release process.
The transactions of the escrow agents will be logged and recorded electronically,
Permitting subsequent review and audit. In addition, the Department of Justice will
e responsible for ascertaining that the requesting agencies fullv comply with the
procedures at the various stages of the process. We wiU also reflect, in the respec-
tive reports to the Congress regarding wiretaps under Title III and FISA, those
wiretaps in which key-escrow encrjrption was encountered and for which key compo-
nents were released to a government agency.
Mr. Chairman, we have worked to develop procedvtres that strike the right bal-
ance between the rigorous protection of the privacy of communications and the need,
in critical moments, to be able to decrypt such communications in order to protect
lives and preserve the public safety. Through a combination of procedural require-
ments, technical safeguards, and audit capabilities, we believe that these procedures
will assure the integrity of the key-escrow encryption system without frustrating the
ability of government agencies to understand encrypted communications in the
course of lawful wiretaps.
I have appreciated the opportunity to discuss with you this very important issue,
and I shall be happy to try to answer any questions the Subcommittee may have.
Senator Leahy. Thank you. I have a number of other questions
for the record, but Senator Murray has joined us. She is proposing
legislation on this, and before we go to Mr. Kammer, I didn't know,
Senator, whether you had any questions you wanted to ask of Ms.
Harris.
STATEMENT OF SENATOR PATTY MURRAY
Senator Murray. Well, thank you, Mr. Chairman. I will reserve
my time to ask questions later. I do have an opening statement I
will submit for the record. I very much appreciate your having this
hearing and asking me to join you here today. This is an especially
important topic in my State, where high technology is the key to
our economic future and, really, the Clipper Chip proposal has had
a chilling effect on a number of innovations that are coming along.
I have a number of questions that the chairman has asked that
I think have not been satisfactorily answered. I believe that tech-
nology is going to be way ahead of where we are. I am very con-
cerned that we are investing a great deal of time and energy and
commitment into a Clipper Chip proposal, while our technology has
moved way past that and it will be outdated within a very short
time.
So, I will pass on questions at this time and will be here to hear
the rest of the testimony. Thank you.
Senator LEAHY. Thank you.
[The prepared statement of Senator Patty Murray follows:]
Prepared Statement of Senator Patty Murray
Chairman Leahy, I appreciate the invitation to join you today for this important
hearing.
Over the last decade, high technology and software manufactvu*ing have become
a strong force in Washington state's economy. Growth in this sector has helped off-
17
set job losses in aircraft manufacturing. Exports are an increasingly critical part of
our software production, helping to cushion downturns in our domestic economy.
That is why the Administration's Clipper Chip proposal has had a chiUing effect
on software manufacturers in my state. For years, companies like Microsoft have
struggled with burdensome, expensive and often anti-competitive U.S. export con-
trols on encrypted software. Now, the Federal Government wants to dictate to com-
panies what they can sell here at home, too.
High technology is key to our economic future. Cold War export controls are a
thing of the past.
I have heard the arguments on all sides. On a laptop in my office in the Hart
building, I have had DES encrypted software downloaded from Austria on the
Internet. In January of this year, the Software PubUshers Association found 210 for-
eign encryption products from 21 countries of which 129 use the Data Encrjrption
Standard.
When I go with my teenagers to Egg head Software I read the "For Sale Only
in the U.S. ' on Windows programs anyone can buy and pack in a suitcase. We can-
not keep the genie in the bottle. The genie left a good long while ago, and Federal
efforts to put the genie back in the bottle will be futile.
As the Acting Undersecretary of Commerce wrote to Banking Committee Chair-
man Riegle a few weeks ago: "At a time when product life cycles for high tech items
last no longer than one or two years, the existing statute (the Export Administration
Act) inhibits the long term market potential for U.S. industry." That is why I beUeve
legislation I introduced with Senator Bennett in February, S. 1846, is the correct
way to go on the export problem. My biU would retain controls on exports of gen-
erally available encrypted software for inteUigence or mihtary use, but not for com-
mercial use.
I look forward to today's testimony.
Senator Leahy. Mr. Kammer, it is all yours. Gro ahead, and then
we will go back to further questions.
STATEMENT OF RAYMOND G. KAMMER
Mr. Kammer. Perhaps I could make three points and then go to
the demonstration. First of all, the escrowed encryption standard
is voluntary. It is not mandatory. It is voluntary for use both by
government and by the private sector. Secondly — this is for the
record because of some public discussion of this — there is no trap
door in the escrow encryption standard. And then the third point
is the U.S. Government needs encryption for civil privacy applica-
tion— census data, the IRS, and the like.
Because the U.S. Government will ultimately buy a lot of what-
ever it selects, the price will presumably go down. Also, because
people will have reasons to have conversations with the govern-
ment perhaps in an encrypted environment, that will tend also to
influence the marketplace. It seems to me that it is important that
the government, to the extent it is influencing the marketplace, in-
fluence the marketplace in a way that does not harm law enforce-
ment, and this standard does that.
Those are my three points. If you would like, I will go to a dem-
onstration.
Senator Leahy. Would you, please?
Mr. Kammer. Sure. This is the TSD 3600 you have, Mr. Chair-
man, by you, and what I intend to do is phone you from here and
then engage the TSD 3600, which has in it a Clipper Chip. What
will happen is there will be an initial sort of negotiation between
this device and the device there that will take about four seconds,
and they are negotiating what is called a session key, which is a
unique key that will engage the algorithm in the chip for our con-
versation, after which we will be able to have a conversation.
18
In addition, I have brought a tape recording of what people
would hear if they intercepted because there wasn't any convenient
way to set it up here.
Senator Leahy. Sure.
Mr. Kammer. So, with that, I will dial in.
Senator Leahy. My God, it worked. I take back everjrthing I said.
[Laughter.]
Mr. Kammer. We are now engaged in a normal encrypted con-
versation.
Senator Leahy. I can hear it.
Mr. Kammer. I will now engage the encrjrption. All you need to
do is watch. At this point, the two devices are negotiating a session
key. As I said before, it takes about four seconds. There is now
emerged a session number which should be the same number for
each of us, sir, which is FB 57.
Senator Leahy. Interestingly enough, there is a slight delay, a
fraction of a second delay, of the voices going back and forth. The
only way I am aware of that is I can hear you in one ear, your ac-
tual voice, and hear you in here. But, obviously, it is being slowed
down by about a quarter of a second.
Mr. Kammer. Yes, sir. The quality of the voice, however — if we
v/eren't in the same place, it would be a little less irritating. You
can perceive the lag even if we were in remote locations, but the
quality of the voice is actually quite good, in my opinion.
Senator Leahy. Yes, it is very good, not like the old-fashioned
scrambled phones.
Mr. Kammer. With that, I have cleare4 and if you hit "clear" on
your end, then we can just hang up. If there were now some person
who was intercepting that conversation, or some other, it would
sound as this will once I get it going.
[There follows a transcription of an audio tape:]
This recording is designed to demonstrate the ability of the TSD 3600, equipped
with Clipper technology, to secure voice communications. I have been talking over
a telephone with a TSD 3600 in the clear mode. I will now initiate the secure mode.
Senator Leahy. That was the identifying number.
Mr. Kammer. That is right. That was the preamble where they
were negotiating a session key, and then that static sound is the
white noise that people would hear.
Senator LEAHY. Now, has the Department of Justice bought
these?
Mr. Kammer. They have purchased 9,000 devices at this point.
Senator Leahy. Is that going to replace the old STU phones?
Mr. Kammer. The application that this is cleared for at this time
is for civil data, not classified data. The STU's, as you know, are
for classified data.
Senator Leahy. Has anybody outside the government bought any
of these devices with the Clipper Chip in it?
Mr. Kammer. At this point, they are just coming on the market
and if there are any deployed, it would be a negligible number at
this point.
Senator Leahy. And if I had this on my phone and you did not
have it on yours, I can still call you just in the clear?
Mr. Kammer. No problem; normal communications.
19
Senator Leahy. But if I hit my red button, you are going to hear
a beep and a clunk?
Mr. Kammer. Well, it won't find anybody to negotiate with, so it
will just sort of sit there and dither. [Laughter.]
Senator Leahy. Heck, I am used to that. [Laughter.]
[The prepared statement of Raymond G. Kammer follows:]
Prepared Statement of Raymond G. Kammer
Introduction
Good morning. My name is Raymond G. Kammer, Deputy Director of the Com-
merce Department's National Institute of Standards and Technology (NIST). Thank
you for inviting me here today to testify on the Administration's key escrow
encirption initiative. The Computer Security Act of 1987 assigns NIST responsibil-
ity for the development of standards for protecting unclassined government com-
puter systems, except those commonly known as "Warner Amendment systems" (as
defined in Title 10 U.S.C. 2315).
In response to the topics in which the Committee expressed an interest, I would
like to focus my remarks on the following:
(1) The principal encryption policy issue confronting us,
(2) The importance of encrjrption technology,
(3) How voluntary key escrow encryption technically works and how it en-
sures privacy and confidentiality,
(4) Alternatives to the voluntary key escrow initiative,
(5) Critical components of the Administration's policy on encryption tech-
nology,
(6) Recent initiative to modify Secure Hash Standard, and
(7) The effectiveness of the Computer Security Act of 1987.
1. THE PRINCIPAL ENCRYPTIGN POLICY ISSUE
First, I would like to broadly outUne an important public poUcy and societal issue
confronting us today regarding unclassified government and commercial cryptog-
raphy. In developing cryptographic standards, one can not avoid two often compet-
ing interests. On the one hand are the needs of users — corporate, government, and
individual — in protecting telecommunications transmissions of sensitive information.
Cryptography can be used for excellent information protection. On the other hand
are the interests of the national security and law enforcement communities in being
able to monitor electronic communications. In particvilar, I am focusing upon their
need for continued abiUty to keep our society safe from crime and our nation secure.
Rapid advances in digital telecommunications have brought this issue to a head.
Some experts have stated that, within ten years, most digital telecommunications
will be encrypted. Unless we address this issue expeditiously, law enforcement will
lose an important tool in fighting crime — the abih^ to wiretap — and the mission of
our Intelhgence Community will oe made more difficult. The Committee is undoubt-
edly aware of the benefits such intelhgence brings to the nation. This matter raises
broad societal issues of significant importance. I have personally been involved in
many meetings of a philosophical and wide-ranging nature to discuss this dilemma.
Four broad conceptual alternatives emerged:
• Seek a legislative mandate criminaUzing the use of unauthorized cryptography.
• Seek wide adoption of an encryption method with an unannounced "trap door."
This was never seriously considered.
• Seek wide voluntary adoption of a technology incorporating a secure "key es-
crow" scheme.
• Allow technology to evolve without government intervention; in effect, do noth-
ing.
None of these options satisfies all interested parties fully. I doubt such a solution
even exists, but the Admiinistration has chosen the voluntary key escrow technology
approach as the most desirable alternative for protecting voice communications
without impairing the ability of law enforcement agencies to continue to conduct
wiretaps. For data communication the long-standing Data Encryption Standard has
recently been recertified for use.
20
It is interesting to note that other countries have faced this same issue and cho-
sen different solutions. France, for example, outlaws the use of unregistered cryp-
tographic devices within its borders.
2. THE IMPORTANCE OF ENCRYPTION TECHNOLOGY
Encryption provides one of the best ways to guarantee information integrity and
obtain cost-effective information confidentiality. Encryption transforms intelligible
information into an unintelligible form. This is accompUshed by using a mathemati-
cal algorithm and a "key" (or keys) to manipulate the data in a complex manner.
The resulting enciphered data can then be transmitted without fear of disclosure,
provided, of course, that the implementation is seciu-e and the mathematical-based
algorithrn is sound. The original information can then be understood through a
decryption process. As I shall discuss, knowledge of the particular key utilized for
a particular encryption of information (or, in the case of asymmetric cryptography,
knowledge of the associated key of the key pair) allows decryption of the informa-
tion. For this reason, such keys are highly protected.
Uses of cryptography
Encryption can be used in many applications for assuring integrity and confiden-
tiality, or both. It can be used to protect the integrity and/or confidentiality of phone
calls, computer files, electronic mall, electronic medical records, tax records, cor-
porate proprietary data, credit records, fax transmissions and many other types of
electronic information. It is expected that cryptographic technologies will be used on
a voluntary basis in the protection of information and services provided via the Na-
tional Information Infrastructure.
Encryption used with these and other types of information protects the individual
privacy of our citizens including, for example, their records and transactions with
government agencies and financial institutions. Private sector organizations can also
benefit from encryption by securing their product development and marketing plans,
for example. It also can protect against industrial espionage by making computers
more secure against unauthorized break-ins and, if data is encrypted, making it use-
less for those without the necessary key.
The government has long used cryptography for the protection of its information —
from that involving highly classified defense and foreign relations activities to un-
classified records, such as those protected under the Privacy Act. My point here is
not to list all potential applications and benefits but to give you a feel for the innu-
merable applications and benefits which encryption, when securely implemented,
can provide.
Hazards of cryptography
Counterbalanced against its benefits, encryption also can present many substan-
tial drawbacks — to both the government and other users. First and foremost,
encryption can frustrate legally authorized criminal investigations by the federal,
state, and local law enforcement agencies. As their representatives can better ex-
plain, lawful electronic surveillance has proven to be of the utmost benefit in both
investigating and prosecuting serious criminal activity, including violent crime.
CryptograpWc technologies can also seriously harm our national security and intel-
ligence capabihties. As I shall discuss, the Administration recognizes that the con-
sequences of wide-spread, high quality encryption upon law enforcement and na-
tional security are considerable.
Encryption may also prove a potential hazard to other users, such as private sec-
tor firms, particularly as we move into the Information Age. Private firms, too, are
concerned about the misuses of cryptography by their employees. For example, a
rogue employee may encrypt files and offer the "key" for ransom. This is often re-
ferred to as the "data hostage" issue. Keys can also be lost or forgotten, resvdting
in the unavailability of data. Additionally, users of encryption may gain a false
sense of security by using poorly designed or implemented encryption. To protect
against such hazards, some corporations have expressed interest, in a "corporate"
key escrowing capability to minimize harm to their organizations from internal mis-
use of cr3T)tography. As security experts point out, such a false sense of security can
be worse than if no secvuity measures were taken at all. Encryption is not a "ciu-e-
all" to all security problems.
Let me now turn to the details of the Administration's key escrow encryption ini-
tiative.
21
3. VOLUNTARY KEY ESCROW ENCRYPTION INITIATIVE
Goals of the voluntary key escrow encryption initiative
I will begin my remarks about the government-developed key escrow encryption
chips (referred to as "chips" herein) by discussing the goals that we were trying to
achieve in developing this technology for application to voice-grade communication.
At the outset, we sought to develop a technology which provides very strong pro-
tection for government information requiring confidentiality protection. Much of the
sensitive information which the government holds, processes, and transmits is per-
sonal and requires strong protection. Tax records and census data are two such ex-
amples. We sought nothing less than excellent protection for government commu-
nications. In order to allow agencies to easily take advantage of this technology, its
voluntary use (in Federal Information Processing Standards (FIPS) 185) to protect
telephone communications has been approved by the Secretary of Commerce.
The chips implementing FIPS 185 efficiently support applications within its scope.
They far exceed the speed requirements of commercial modems existing today or en-
visioned for the near future.
In addition to the need for strong information protection, the increasingly
digitized nature of advanced telecommunications is expected to significantly hamper
the ability of domestic law enforcement to carry out lawfully authorized wire-
tapping. Their problem has two dimensions.
First, the design and complexity of the nation's telecommunications networks
makes locating those communications which can be lawfully tapped very difficult.
This is the digital telephony issue, which my law enforcement colleague will discuss
today.
Second, the proliferation of encryption is expected to make law enforcement's
tasks more difficult. If a telephone conversation is encrj^jted, resources must be ex-
pended for decryption, where feasible. Such expenditures and technical capabilities
are normally far outside the ability of local law enforcement organizations and could
be quite significant at the federal level. In seeking to make available a strong
encryption technology, we have sought to take into account the needs of the law en-
forcement community. For example, one of the reasons that the SKIPJACK algo-
rithm, the formula on which the key escrow chip is based, is being kept classified
is that its release would make their job much harder were it to be used to hide
criminal activity.
Misconceptions concerning the purpose of the voluntary key escrow encryption initia-
tive
A number of those opposed to this Administration initiative have expressed doubt
about whether the key escrow encryption initiative can do anything to solve this na-
tion's crime problem. Of course, this initiative cannot by itself do so. The basic in-
tent of the program is the provision of sound security, without adversely affecting
other government interests, including, when necessary, the protection of society
through lawfully authorized electronic surveillance.
The voluntary key escrow encryption initiative, first and foremost, was devised to
provide solid, first-rate cryptographic security for the protection of information held
by the government when government agencies decide such protection is needed for
unclassified government communications — for example, tax, social security and pro-
prietary information (The Escrowed Encryption Standard (FIPS 185) allows federal
agencies to use this technology for protection of telephone communications.) This
was done, in part, with the realization that the current government cryptographic
technique, the Data Encryption Standard (which was recently re-approved) is over
fifteen years old; while DES is still sound, its usefiilness will not continue indefi-
nitely. We also recognized that were we to disclose an even stronger algorithm (with
the government's "seal of approval"), it could be misused to hamper lav^ul investiga-
tions, particularly electronic surveillance.
In approving this initiative, we felt it important that protective measures be
taken to prevent its misuse — a safety catch, if you will. This wiU help assure that
this powerful technology is not misused if adopted and used voluntarily by others.
Our method of providing this safety mechanism relies upon escrowing cryptographic
key components so that, if the technology is misused, lawful investigations will not
be thwarted. Additionally, the algorithm (SKIPJACK) will remain classified so that
its only uses will be consistent with our safety mechanism, key escrowing. I think
it is fair to say that use of this powerful algorithm without key escrowing could pose
a serious threat to our public safety and our national security.
22
Key escrow encryption technology
The National Security Agency, in consviltation with NIST and the federal law en-
forcement community, undertook to apply voluntary key escrow encryption tech-
nology to voice-grade communications. The product of this effort was announced in
the April 16, 1993 White House release concerning the key escrow encryption chip.
I note that we have chosen to discontinue use of the term "Clipper Chip" to avoid
potential confusion with products and services with similar names.
The state-of-the-art microcircuit, the key escrow encryption chip, can be used in
new, relatively inexpensive encrjrption devices that can be attached to an ordinary
telephone. It scrambles telephone communications using an encryption algorithm
more powerftil than many in commercial use today. The SKIPJACK algorithm, with
an 8-bit long cryptographic key, is approximately 16 million times stronger than
DES. For the record, I will restate my earlier public statements that there is no
trapdoor in the algorithm.
Each key escrow encryption chip has two basic functions. The first is an
encryption function, which is accomplished by the SKIPJACK algorithm, developed
and rigorously tested by NSA. The second function is a law enforcement access
method. I will discuss each briefly.
The SKIPJACK algorithm is a symmetric algorithm (as opposed to "pubUc-key"
algorithms). Basically, this means that the same cryptographic key (the session key)
is used for both encryption and decryption. The algorithm is so strong that the De-
partment of Defense will evaluate it for use in protecting selected classified appUca-
tions.
The second basic function of the chip is the provision for law enforcement access
under lawful authorization. To do so, each chip is programmed with three values:
a cryptographic family key, a device unique key, and a serial number. (The device
unique key is split into two key components which are then encrypted and are pro-
vided to the two current escrow agents, NIST and the Automated Systems Division
of the Department of the Treasury, for secure storage.) These three values are used
in conjunction with the session key (which itself encrypts the message) in the cre-
ation of the law enforcement access field. When law enforcement has obtained law-
ful authorization for electronic surveillance, the serial number can be obtained elec-
tronically. Law enforcement can then take the serial number and a certification of
their legal authorization to the two escrow agents. (Detailed procedvires for the re-
lease of these key components were issued by the Department of Justice in early
February.) After these certifications are received, the encrypted components will be
transmitted by escrow agent officials for combination in the decrypt-processor.
After decryption of the key components within the decrypt processor, the two key
components are then mathematically combined, yielding the device unique key. This
key is used to obtain another key, the session key, which is used to decrypt and
understand the message. This device unique key mav be used by law enforcement
only for the decryption of communications obtained during the applicable period of
time of the lawftil electronic surveillance authorization. It can also only be used to
decrypt communications transmitted or received by the device in question.
Security and privacy using key escrow encryption
When the Administration announced the voluntary key escrow encryption initia-
tive, we anticipated that questions would be raised about the strength and integrity
of the SKIPJACK algorithm, which is at the heart of the system. We assured the
public that we knew of no weakness in the algorithm and that there was not an
undisclosed point of entry, commonly referred to as a trapdoor. The algorithm was
designed by cryptographic experts at the National Security Agency and withstood
a rigorous testing and analysis process.
As a further way to indicate the fundamental strength of SKIPJACK, we invited
a group of independent experts in cryptography to review the algorithm, under ap-
propriate security conditions, and make their results publicly known, again, consist-
ent with the classified nature of the algorithm. This group consisted of Ernest
Brickell (Sandia National laboratories), Dorothy Denning (Georgetown University),
Stephen Kent (BEN Communications Corp.), David Maher (AT&T) and Walter
Tuchman (Amperif Corp.). These experts reported that:
• Under an assumption that the cost of processing power is halved every eighteen
months, it will be 36 years before the cost of breaking SKIPJACK by exhaustive
search will be equal to the cost of breaking DES today;
and
• There is no significant risk that SKIPJACK can be broken through a shortcut
method of attack.
23
Let me also repeat the reasons why the algorithm must remain classified. First,
we believe it woxild be irresponsible to publish the technical details. This would be
tantamount to handing over this strong algorithm to those who may use it to hide
criminal activity. Pubfishing the algorithm may also reveal some of the classified
design techniques that NSA uses to design military-strength technology. It would
also allow devices to be built without the key escrowing feature, again allowing
criminals to take advantage of the strength of this very powerfial technology without
any safeguard for society.
With regard to privacy, key escrow encryption can, of course, be used to protect
personal information contained in telephone communications. Moreover, the vol-
untary key escrow encryption initiative does not ejcpand the government's authority
for the conduct of electronic surveillance, as my colleague from the Federal Bureau
of Investigation will discuss. It is important to understand that the escrow agents
will not track the devices by individual owners; they will simply maintain a
database of chip ID numbers and associated chip unique key components (which
themselves are encrypted).
4. ALTERNATIVES TO THE VOLUNTARY KEY ESCROW INITIATIVE
In reaction to industry's concerns about ovir hardware-only implementation of key
escrow encryption, we announced an opportunity for industry to work with us on
developing secure software-based key escrow encryption. Unfortunately, initial in-
dustry interest was minimal; our offer, however, remains open. We are also willing
to work on hardware alternatives to key escrowing as we emphasized in our recent
announcements.
The Administration has been seeking to meet with members of the computer, soft-
ware, and telecommunications industries to discuss the importance of this matter.
We are open to other approaches.
5. KEY GOVERNMENT POLICIES ON UNCLASSIFIED/COMMERCIAL ENCRYPTION
Encryption is an important tool to protect privacy and confidentiality
As I discussed earlier, encryption is powerful technology that can protect the con-
fidentiality of data and the privacy of individuals. The government will continue to
rely on this technology to protect its secrets as well as tne personal and proprietary
data it maintains. Use of encryption by federal agencies is encouraged when it cost-
effectively meets their security requirements.
No legislation restricting domestic use of cryptography
Early in the policy review process, we stated that the Administration would not
be seeking legislation to restrict the use, manufacture, or sale of encryption products
in the U.S. This was a fear that was expressed in the pubUc comments we received,
and one that continues, despite our repeated assertions to the contrary. Let me be
clear — this Administration does not seek legislation to prohibit or in any way re-
strict the domestic use of cryptography.
Export controls on encryption are necessary but administrative procedures can be
streamlined
Encryption use worldwide affects our national security. While this matter cannot
be discussed in deteiil publicly without harm to this nation's intelligence sources and
methods, I can point to the Vice President's public statement that encryption has
"huge strategic value." The Vice President's description of the critical importance of
encryption is important to bear in mind as we discuss these issues today.
In recent months, the Administration has dramatically relaxed export controls on
computer and telecommunications equipment. However, we have retained export
controls on encryption technology, in both hardware and sofl;ware. These controls
strongly promote our national security. These export controls include mass market
software implementing the Data Encryption Standard. The Administration deter-
mined, however, that there are a number of reforms the government can implement
to reduce the burden of these controls on U.S. industry.
These reforms are part of the Administration's goal to eliminate unnecessary con-
trols and ensure efficient implementation of those controls that must remain. For
example, fewer licenses will be required by exporters since manufacturers will be
able to ship their approved products from the U.S. directly to customers within ap-
proved regions without obtaining individual Ucenses for each end user. Additionally,
the State Department has set a license review turnaround goal of two working days
for most applications. Moreover, the State Department will no longer require that
U.S. citizens obtain an export license prior to taking encryption products out of the
U.S. temporarily for their own personal use. Lastly, after a one-time initial technical
24
review, key escrow encryption products may now be exported to most end users.
These reforms shoxild help to minimize the effect of export controls on U.S. industry.
The government requires a mechanism to deal with continuing encryption policy is-
sues
In recognition of this, the Interagency Working Group on Encryption and Tele-
communications was formed in recognition of the possibility that the economic sig-
nificance of our current encryption policy could change. The Working Group has
been assigned to monitor changes in the balance that the President has struck with
these pohcy decisions and to recommend changes in policy as circumstances war-
rant. The Working Group will work with industry on technologies like the key es-
crow encryption chip and^in the development and evaluation of possible alternatives
to the chip.
The group is co-chaired by the White House Office of Science and Technology Pol-
icy and the National Security Council. It includes representatives from all depart-
ments and agencies which participated in the policy review and others as appro-
priate, and keeps the Information Policy Committee of the Information Infi-astruc-
ture Task Force apprised of its activities.
Flexibility on encryption approaches
From the time of the initial White House announcement of this technology, we
have stated that this key escrow encryption technology provides:
(1) Exceptionally strong protection and
(2) A feature to protect society against those that would seek to misuse
it.
I have personally expressed our flexibility in seeking solutions to these difficult
issues. We have offered to work with industry in developing alternative soft\vare
and hardware approaches to key escrowing. We actively seek additional solutions
to these difficult problems.
We also stand willing to assist the Congressionally-directed study of these issues
by the National Research Council.
Use ofEES is voluntary and limited to telephone systems
The Escrowed Encryption Standard, which was approved on February 3, 1994, is
a voluntary standard for use both within and outside of the federal government. It
is appUcable for protecting telephone communications, including voice, fax and
modem. No decisions have been made about applying key escrow encryption tech-
nology to computer-to-computer communications (e.g., e-mail) for the federal -govern-
ment.
Government standards should not harm law enforcement / national security
This is fairly straightforward, but can be difficult to achieve. In setting standards,
the interests of all the components of the government should be taken into account.
In the case of encryption, this means not only the user community, but also the law
enforcement and national security communities, particularly since standards setting
activities can have long-term impacts (which, unfortunately, can sometimes be hard
to forecast).
6. SECURE HASH STANDARD
As the Committee may be aware, NIST has recently initiated the process to issue
a technical modification to Federal Information Processing Standard 180, the Secure
Hash Standard. The Secure Hash Standard uses a cryptographic-type algorithm to
produce a short hash value (also known as a "representation ' or ' message digest")
of a longer message or file. This hash value is calculated such that any change to
the file or message being hashed, will, to a very high degree of probability, change
the hash value. This standard can be used alone to protect the integrity of data files
against inadvertent modification. When used in conjunction with a digital signature,
it can be used to detect any unauthorized modification to data.
Our intent to modify the standard was announced by NIST after the National Se-
curity Agency informed me that their mathematicians had discovered a previously
unknown weakness in the algorithm. This meant that the standard, while still very
strong, was not as robust as we had originally intended. This correction will return
the standard to its intended level of strength.
I think this announcement illustrates two usefiil issues with regard to cryp-
tographic-based standards. First, developing sound cryptographic technology is very
difficult. This is also seen with commercial algorithms, including those used for
hashing and encryption. Secondly, this incident demonstrates the commitment of
25
NIST, with NSA's technical assistance, to promulgating sound seoirity standards.
In this case, a weakness was found, and is being quickly corrected.
7. EFFECTIVENESS OF THE COMPUTER SECURITY ACT OF 1987
Lastly, as requested in your invitation to appear here today, let me briefly address
the effectiveness of the Computer Security Act of 1987 (P.L. 100-235). I will first
briefly comment on what we learned about the state of computer security in the fed-
eral government during our agency visit process and then tvun to cryptographic-spe-
cific issues.
As part of our efforts to increase awareness of the need for computer security,
during 1991-1992, officials from 0MB, NIST and NSA visited 28 federal depart-
ments and agencies. Each visit was designed to increase senior managers' aware-
ness of security issues and to motivate them to improve security. I believe that what
we learned during those visits remains valid — and indicates that we still need to
focus on basic computer security issues in the government.
Specifically, OMB, NIST and, NSA proposed the following steps to improve secu-
rity:
• Focus management attention on computer security.
• Improve planning for security.
• Update security awareness and training programs.
• Improve contingency planning and incident response capabilities.
• Improve communication of useful security techniques.
• Assess security vulnerabilities in emerging information technologies.
Actions are being taken by NIST and other agencies to address each of these
areas. The background and discussion of the need for these measures is discussed
in the summary report prepared by OMB on "Observations of Agency Computer Se-
curity Practices and Implementation of OMB Bulletin No. 90-08" (February 1993).
In short, the Computer Security Act provides an appropriate framework for agen-
cies— to continue improving the security of their automated systems — but much
work remains to be done, by NIST and individual federsd agencies.
One of the questions that the Committee was interested in was whether there is
a need to modify this legislation in response to the same advancements in tech-
nology that led to the key escrow initiative and digital telephony proposal. First, I
would observe that the Act, as a broad framework, is not tied to a specific tech-
nology. I think it would be unworkable if the Act were to address specinc computer
technologies, since this is a rapidly evolving field. Also, I would note that the Act
does not address digital telephony concerns — the Administration is proposing sepa-
rate legislation in that area. In short, no modifications to the Act are necessary be-
cause of technology advances.
Before leaving tiie subject of the Computer Security Act, however, let me briefly
comment on the Escrowed Encryption Standard. I strongly believe that NIST and
NSA have complied with the spirit and intent of the Act. At the same time, this
issue underscores the complex issues which arise in the course of developing com-
puter security standards, particularly cryptographic-based standards for unclassified
systems.
The Act, as you are aware, authorizes NIST to draw upon computer security
guidelines developed by NSA to the extent that NIST determines they are consistent
with the requirements for protecting sensitive information in federal computer sys-
tems. In the area of cryptography, we believe that federed agencies have valid re-
quirements for access to strong encryption (and other cryptographic-related stand-
ards) for the protection of their information. We were also aware of other require-
ments of the law enforcement and national security community. Since NSA is con-
sidered to have the world's foremost cryptographic capabilities, it only makes sense
(from both a technological and economic point of view) to draw upon their guidelines
and skills as useful inputs to the development of standards. The use of NSA-de-
signed and -tested algorithms is fully consistent with the Act. We also work jointly
with NSA in many other areas, including the development of criteria for the security
evaluation of computer systems. They have had more experience than anyone else
in such evaluations. As in the case of cryptography, this is an area in which NIST
can benefit from NSA's expertise.
Summary
Key escrow encryption can help protect proprietary information, protect the pri-
vacy of personal phone conversations and prevent unauthorized release of data
transmitted telephonicaUy. Key escrow encryption is available as a valuable tool for
26
protecting federal agencies' critical information communicated by telephone. At the
same time, this technology preserves the ability of federal, state and local law en-
forcement agencies to intercept lawfully the phone conversations of criminals.
Encryption technology will play an increasingly important security role in future
computer applications. Its use for security must be balanced with tne need to pro-
tect all Americans from those who break the law.
Thank you, Mr. Chairman. I would be pleased to answer your questions.
Rajmiond G. Kammer is the Deputy Director of NIST. He is responsible for the
day to day operation of the Institute as well as long-range planning and policy de-
velopment. NIST is the only Federal laboratory exphcitly charged with providing
technical research and services to enhance U.S. industrial competitiveness. NIST
provides support for industry's development of precompetitive generic technologies
and diffusing technological advances to users in all segments of the economy. In ad-
dition, NIST provides the measurements, calibrations, and quality assurance tech-
niques which underpin U.S. commerce, technological progress, improved product re-
liability and manufacturing processes, and public safety. NIST carries out many of
these efforts in partnership with industry and government.
A graduate ot the University of Maryland, Kammer joined NIST in 1969 as a pro-
gram analyst. Over the following decade he served the agency and the U.S. Depart-
ment of Commerce in a succession of offices concerned with budgetary and program
analysis; planning; and personnel management. In 1980, Mr. Kammer was ap-
pointed Deputy Director of NIST. He also has served as Acting Director of NIST,
Acting Director of the National Measurement Laboratory, and Acting Director of the
Advanced Technology Program.
In 1991, Kammer was named the Deputy Under Secretary for Oceans and Atmos-
Rhere, NOAA, Department of Commerce. While in that position, he served as
rOAA's Chief Operating Officer and was responsible for overseeing the day-to-day
operation of NOAA's five major line offices. In 1993, Kammer returned to NIST as
Deputy Director.
In addition, Kammer has chaired several important evaluation committees for the
Department of Commerce, including reviews of satellite systems for weather mon-
itoring and the U.S. LANDSAT program, and the next generation of weather radars
used by the U.S. government. He also served a three-year term on the Board of Di-
rectors of ASTM, a major international government for the development of voluntary
standards for materials, products, systems, and services.
His awards include both the Gold and Silver medals of the Department of Com-
merce, the William A. Jump Award for Exceptional Achievement in Public Adminis-
tration, the Federal Government Meritorious Executive Award, and the Roger W.
Jones Award for Executive Leadership.
Senator Leahy. You are working with industry, as I understand
it, to improve on the key escrow chips, to develop key escrow soft-
ware, and to examine alternatives to Clipper Chip. What are the
improvements a^nd alternatives to Clipper Chip that NIST is con-
sidering, or have I overstated the situation?
Mr. Kammer. We are in active collaboration with four private
sector entities that responded to a public advertisement that we
made, and the intent was to have discussions both on hardware im-
provements and software. In the case of the hardware improve-
ments, what people are interested in is can the algorithm be incor-
porated on some other chip that is already in a communications de-
vice, for instance, thereby reducing the power requirements.
The full name of the game in communications is you want to be
portable, you want to be light, you want to take no power at all,
ideally, or very little power. To incorporate the clipper hardware on
a portable telephone, for instance, it uses enough power now to be
irritating to the manufacturers. They don't think it is very attrac-
tive until we can reduce the power.
In terms of the software, we would like to see if we can find a
concept, and we have not yet, where we would be able to preserve
law enforcement and still encrypt in a software mode rather than
27
a hardware mode. Intellectually, that is a very formidable idea. If
you could ever think of a way of doing it, you would have the best
of all worlds, in that you use no power when you use software and,
of course, it doesn't weigh an5^hing, so that would be very desir-
able.
Those discussions have been — ^the group that has been undertak-
ing this has been meeting biweekly since last — ^bimonthly — I am
sorry — since last December working on these issues.
Senator Leahy. There is no way to get in on the conversation you
and I had? There would be no way for somebody to put a device
like this on the line between the two of us and pick it up, or is
there?
Mr. Kammer. Yes, sir, there would be, with considerable effort.
I mean, they would have to know which line it was going to pass
through, which is a very formidable problem in itself, but let us say
somehow people have
Senator Leahy. Well, let us say you are calling me from Chicago
and I am in Vermont, but they know what office you are going to
call from.
Mr. Kammer. Right, so they would put it on a wire.
Senator Leahy. So they would have to be within a few feet of
where you are. Can they do that?
Mr. Kammer. Then what would happen is you would not get the
indication that it was secure. The negotiation would say "retry" in-
stead of "secure."
Senator Leahy. It would pick up the fact that there is something
in the way of the connection?
Mr. Kammer. It would know that there was what we call a man
in the middle. It would know that there is such an individual there.
If I went to that much trouble, probably what I would rather do
is just put a microphone under your desk.
Senator Leahy. Well, that was going to be my next question.
The National Research Council of the National Academy of
Sciences is doing a 2-year study of shortcomings in how national
encryption policy is made, and Clipper Chip, and so on. Is there
any reason why the administration couldn't wait to implement its
Key Escrow Encryption System until after we got this study?
Mr. Kammer. The urgency from our point of view was that prod-
ucts like the TSD 3600 were coming into the marketplace, and
what drove us was indeed that happening and the possibility — and
this can still happen, but the technology would just whirl ahead of
us and we would wake up one morning — suddenly there were fax
machines everywhere, you know, and maybe suddenly there was
the TSD 3600 with an algorithm in it that was very vexing to law
enforcement, and that could still happen. I mean, Clipper is vol-
untary. People could pick something else, and they may.
Senator Leahy. Well, suppose they don't pick Clipper Chip. Are
we going to stop the use of it?
Mr. Kammer. No, sir. We still have a substantial influence on the
marketplace just because of price and because of the convenience
of communicating with the government. Additionally, the experts
in this field, I think, tend to underestimate the formidable task of
most normal people setting up their own personal encryption net.
It is not a trivial thing to do.
28
Indeed, many people use good algorithms and set the net up so
poorly that they are exploitable because of the defects in how they
set it up. In a nation where most people can't program their own
VCR's, I mean this is something to think about.
Senator Leahy. Senator Murray points out it is OK because our
kids can. There is an 8-year-old girl who lives across the street and
we call her over to set the thing up and she takes care of it for
us. [Laughter.]
Are foreign governments going to permit the use of Clipper Chip
or Capstone overseas?
Mr. Kammer. We have started some discussions with foreign gov-
ernments. It is an interesting problem. Most of the Western Euro-
pean countries actually have laws on the books, in many cases
since the 1920's, that allow them to regulate all use of encryption.
Some countries are rather active in their enforcement of these
laws, some are rather lax, but the laws exist on the books.
Senator Leahy. If we are setting an industry standard, what do
you do if some of the major countries, especially those that have
major commercial interests with us, say no, or we will let you use
it, but only if we have the keys?
Mr. Kammer. That is all a negotiation to take place.
Senator Leahy. Is any of it taking place now?
Mr. Kammer. There have been some initial discussions with se-
lected governments. It may be that Admiral McConnell would have
more to share with you in the following session.
Senator Leahy. Now, I understand that software is available
that could be used with Clipper to bypass the key escrow feature.
A sender of information can first encrjrpt the information with soft-
ware using DES or RSA algorithms, then transmit that information
double-encrypted with Clipper. So, in other words, even if you
decrypt Clipper, what you do is you peel the onion off and under-
neath it is still an onion, an encrypted one. Doesn't that defeat
you?
Mr. Kammer. You are exactly correct, and indeed that would con-
found our intent. However, you had to go through a couple of trou-
blesome steps here and to the extent that you have done it success-
fully, we are confounded. Most people probably won't go to that
much trouble, experience suggests, or won't do it successfully, expe-
rience suggests.
Senator Leahy. Is the administration considering outlawing all
other encryption methods?
Mr. Kammer. We took as one of our assignments during the
presidentially instructed review to consider that and we rejected it.
We think that mandatory regulation in this area would be an inap-
propriate approach for our society.
Senator Leahy. Last year when you testified before Representa-
tive Markers subcommittee, you were asked if foreign companies
would purchase Clipper Chip and you replied, "I think under the
current circumstances, probably if I were running a foreign com-
pany, that would be a decision I would not make." Do you still feel
that way?
Mr. Kammer. I have been surprised. In conversations with a lot
of the multinational companies, what they seem to assign a very
high priority to is something they can use everywhere. They are
29
substantially less concerned about the ability of our government, at
least, to access their information. They have expressed concerns
about what they view as the practice of some other governments
of intercepting commercial information to share with commercial
companies, and that does worry them, but people were less resist-
ant than I imagined at that time.
Senator Leahy. So if you were back there last April before Con-
gressman Marke/s subcommittee, would you give the same an-
swer?
Mr. Kammer. Knowing what I knew then, I think I would have
been obliged to.
Senator Leahy. No, but today.
Mr. Kammer. No, I wouldn't.
Senator Leahy. If other countries don't let Clipper Chip in, do we
have a problem using the information superhighway that every-
body wants to get on now? I mean, I look at Internet where I can
go and pick up articles from a university in Australia or commu-
nicate with somebody in Eastern Europe. I mean, what about this?
Are we suddenly going to see countries cutting off Internet?
Mr. Kammer. 'Riere is going to have to be at some point a world-
wide solution to this. The power of Internet is too attractive. People
aren't going to be willing to forgo that, and any country that
forgoes is forgoing economic opportunity that means they won't sur-
vive for that long.
The critical things that you are going to need for commerce are,
first of all, digital signature. If you want to sell or buy from people
you have never met, you have to have some unambiguous way of
assuring that they indeed incurred the debt and that they are lia-
ble for it. Digital signature is that solution. You are going to need
some way of sealing data so you can be confident that it wasn't
changed. That is sometimes called message authentication. Those
two things are absolutely necessary for commerce. For many kinds
of commerce, you are also going to need some kind of confidential-
ity that goes across borders. This is a difficult problem.
Senator Leahy. And it becomes more difficult if Clipper Chip is
the standard. I really cannot imagine a number of these countries
allowing it, no matter what commercial disadvantage they might be
put at, without having a way of cracking into it.
Mr. Kammer. The possibility of some solution that doesn't in-
volve a trusted third party, whoever it is — I haven't thought of any-
thing myself, nor have I talked to anybody that has thought of any-
thing that goes to some balance between protection from criminal
activities balanced with privacy. What most people say it is not
possible to do it at all and therefore let us just go a hundred per-
cent privacy, the heck with the law enforcement. I don't know how
it is going to come out.
Senator Leahy. Well, can you imagine any groundswell of enthu-
siasm here in the United States for giving these keys to some other
country, no matter who they are?
Mr. Kammer. I can't.
Senator Leahy. Now, I understand that the cost of establishing
the escrow system will be about $14 million and the cost of running
it will be about $16 million annually. Is there any statutory author-
ity for these expenditures?
30
Mr. Kammer. During the review that we did, there was a legisla-
tive review as well and we have the authority under the Computer
Security Act, as it amended the NIST Organic Act. There is no au-
thorization for the money at this point.
Senator Leahy. Ms. Harris, I think you were very forthcoming
with the Justice Department's view on legislation, but if there is
enough concern here, there will be legislation.
Senator Specter?
Senator Specter. Thank you very much, Mr. Chairman.
In noting the examples of cryptographic products which are being
produced by others, are there some, Mr. Kammer, that are more
complicated and more difficult to decrypt?
Mr. Kammer. If you have two well-designed algorithms, then the
measurement is usually something called the work factor, and that
is how long it would take you to try all the possible keys that exist,
but that first big "if is a real big "if." There are algorithms that
are out in public use that seem to have rated very long work fac-
tors that indeed are not all that well designed. So, first, you have
to know is it really designed as well as it is labeled, and then, sec-
ondly, if so, then you can start comparing work factors. Presuming
two good algorithms, the one with the biggest work factor is pre-
sumably the best one.
Senator Specter. Well, you lost me. Let me try again.
Mr. Kammer. Sure.
Senator SPECTER. Are there some cryptogram systems that we
cannot break at this moment?
Mr. Kammer. Yes, sir.
Senator Specter. Are there any cryptogram systems that cannot
be broken with enough energy and time applied?
Mr. Kammer. No, sir, but the amount of time could range into
hundreds, you know, of years.
Senator Specter. All right, so criminal elements or foreign
agents could have access to cryptogram systems which we might
not be able to break except with very extensive efforts.
Mr. Kammer. That is correct. That presumes a rather sophisti-
cated criminal who is also very disciplined about implementing the
system, but yes.
Senator Specter. General Harris, what pause does that give you
for wiretaps if it is possible for organized crime or sophisticated for-
eign agents to use these cryptographic systems?
Ms. Harris. It is clearly of grave concern. Our hope with Clipper
Chip is that it will become a device of choice so widespread that
at least we will not have developed and then made available pri-
vately a technology which will frustrate law enforcement.
Senator Specter. With so many of these other cryptographic de-
vices available from so many other countries — ^Australia, Denmark,
Finland, Germany, Israel, Russia, the United Kingdom— isn't there
sufficient competition with this kind of a device so that whatever
we do with ours won't make a whole lot of difference? Won't foreign
agents or criminals who want access to secret cryptography will be
able to have it, whatever we do with Clipper Chip?
Ms. Harris. It is our hope that if Clipper Chip becomes the
standard of choice for legitimate businesses that there will come a
31
time when even illegitimate criminal enterprises will have to com-
municate with legitimate operators around the world.
Senator Specter. But, General Harris, why should it become the
product of choice when there are so many others available?
Ms. Harris. I must tell you. Senator, that my understanding is
that although others are available, they are not that good; that
Clipper is — probably "light years" is strong a word, but that Clip-
per is so much stronger than the available — is so much stronger
and so much better than what is available that, developed and
made available, as the intention is, to the market, it will be the
encrypter of choice. I mean, that is the hope. At least it will be one
that this country has developed which will not frustrate law en-
forcement.
Senator Specter. Given technology's rapid advances, is there
any estimate as to how long it would be before someone is likely
to produce a better system?
Ms. Harris. I think that I would not speculate on that. Senator.
Clearly, people are working on it, and clearly we are not just sort
of stopped with Clipper Chip either. I mean, there must be a con-
tinuing review and work on this subject. I mean, this is a subject
of grave concern to law enforcement, I am sure you understand.
Senator Specter. When the codes would be in the hands of two
governmental agencies, is there a possibility that they might be
used without a court order in a system which requires a court
order for a wiretap?
Ms. Harris. I do not believe that they will be misused without
court order. We have built into our protocols several fail-safe provi-
sions. For instance, as you have noted, first of all, obviously, we
have got to have a court order. The certification by the law enforce-
ment agent who picks up an encoded conversation pursuant to
Clipper Chip is required to certify to both of the independent key
escrow holders that there is a court order, when it is going to end,
and the identifying numbers.
Each one of those independent escrow agents has to act inde-
pendently to send back to the decrypt device the appropriate codes
that have to be combined in the machine, and then the responsible
Federal officer, if it is a Federal wiretap
Senator Specter. Who is the custodian for this code in the De-
partment of Justice, or who is the proposed custodian?
Ms. Harris. For the two escrow agents?
Senator Specter. Yes.
Ms. Harris. NIST is one, and what comes down to the command
center at the Department of Treasury is the other right now.
Senator Specter. So Justice will not be a custodian?
Ms. Harris. That is absolutely correct. We have very carefully
picked key escrow holders that are not law enforcement agencies.
Senator Specter. Treasury has significant law enforcement func-
tions.
Ms. Harris. Not this aspect of Treasury, Senator.
Senator SPECTER. Which aspect is it?
Ms. Harris. It comes down to the command center at Treasury.
It is part of their Automated Systems Division. It is on their ad-
ministrative side.
32
Senator SPECTER. Well, it is very interesting. I recall being a
lieutenant in the Air Force years ago in the Office of Special Inves-
tigation in the special branch called Cryptography, and from that
vantage point I have always doubted that anything is a secret.
I have had experience where only three highly trusted people in
a major investigation I ran years ago in the district attorney's office
in Philadelphia knew about a matter; I have always had real res-
ervations about how secret you can be.
Let me just ask both of you one final question, and that is do you
really think we can make it so that it is secret? General Harris?
Ms. Harris. I believe that we can make it and, with human and
mechanical technological safeguards, make it literally impossible
for the whole system to be misused, and that it will function pursu-
ant to court-authorized interceptions and function simply as a
translator, so to speak, so that we can understand the content of
communications that a court has authorized us to intercept.
Senator Specter. Mr. Kammer, will it really be secret?
Mr. Kammer. Yes, sir, I believe that we can be successful in
making it secret.
Senator Specter. Well, the technology is fascinating. We had the
Director of the FBI in on a hearing not too long ago and the shoe
was on the other foot. The Director of the FBI was asking for legis-
lation which would enable the FBI to keep up with the crooks, with
all of the changes in the telephone system. So this subcommittee
has its work cut out for it, but we will try to be helpful.
Thank you very much. Thank you, Mr. Chairman.
The Chairman. Senator Murray?
Senator Murray. Thank you, Mr. Chairman.
Mr. Kammer, has NIST evaluated the foreign programs that are
available?
Mr. Kammer. We have occasionally evaluated selected ones out
of interest. The NSA has done a much more thorough-going job and
you may find it useful to discuss that in the next hearing.
Senator Murray. OK; thank you. On April 28, the Wall Street
Journal quoted a computer expert as predicting criminals will rou-
tinely encrypt information within 2 years. Do you agree with that
assessment?
Mr. Kammer. I think the timeframe of 2 years is extremely un-
likely at this point. I don't think there will be widespread use even
among sophisticated users in 2 years.
Senator Murray. Would Clipper Chip affect that timetable in
any way?
Mr. Kammer. Well, I can sort of reason by analogy. DES was re-
leased 17 years ago and for the first 5 years it was regarded, be-
cause it had come from the government, with fear and loathing by
all, and then it gradually began to penetrate the marketplace and
now it is the choice for banking and for a number of other uses.
That process took about 12, 13 years before it really got to the
point where it was in widespread use. I don't think this will hap-
pen that quickly — quicker than that, but not very quickly.
Senator MURRAY. So you don't see the Clipper Chip becoming
commonplace for 10 to 15 years?
Mr. Kammer. Things happen faster now than they did 15 years
ago, but I think it will be at least 5 years before any marketplace
33
choice emerges, Clipper or possibly something else. This is vol-
untary. People may pick something else.
Senator Murray. And you don't think that anybody can figure
that out in the next 15 years?
Mr. Kammer. DES still serves us well and it is 17 years old.
DES' work factor, if you will, is 2 to the 56th. This is 2 to the 80th.
It is 16 million times stronger than DES, Clipper is.
Senator Murray. Do you have any way of knowing if someone
figures it out?
Mr. Kammer. My guess is that it would be so rapidly dissemi-
nated on the Internet and people would be so proud of themselves
that I would hear from many sources simultaneously.
Senator Murray. OK; thank you.
Senator Leahy. Well, of course, on the Internet we found Pretty
Good Program
Mr. Kammer. Protection, PGP.
Senator Leahy. Pretty Good Protection. That zipped out there
and now the government is raising issues about whether that was
an unlawful exporting of encryption. We know how quickly things
move. There is no reason to think that somebody else won't do that.
I am going to submit a number of questions for the record to both
of you, if you don't mind. I have questions ranging everywhere from
why one supplier of Clipper Chip and the obvious questions of mo-
nopoly that come out of that, to a number of other technical ques-
tions.
I appreciate your testimony, and I want to tell you that I am not
an automatic fan of Clipper Chip or the proposals of the adminis-
tration on this. I would ask you, if you go back over the questions
and answers and you find there is more information and more ma-
terial you want us to have, in all fairness, please feel free to bring
it forth.
[The questions of committee members are found in the appendix:]
Ms. Harris. Thank you.
Senator Leahy. Thank you. We will take about a 2-minute recess
to set up for the next panel. Thank you very much.
[Recess.]
Senator Leahy. We are back on the record.
Our first witness will be Whitfield DifTie, an engineer and cryp-
tographer with Sun Microsystems, Inc. Mr. Diffie is the inventor of
the concept of public key crj^jtography and one of the founding
members of the International Association for Cryptographic Re-
search.
Mr. Diffie, we will begin with you.
PANEL CONSISTING OF WHITFIELD DIFFIE, ENGINEER AND
CRYPTOGRAPHER, SUN MICROSYSTEMS, INC., MOUNTAIN
VIEW, CA, ON BEHALF OF THE DIGITAL PRIVACY AND SECU-
RITY WORKING GROUP; AND STEPHEN T. WALKER, PRESI-
DENT, TRUSTED INFORMATION SYSTEMS, INC., GLENWOOD,
MD
STATEMENT OF WHITFIELD DIFFIE
Mr. Diffie. Well, we know you hear about sculduggery in these
things. My notes just disappeared.
34
Senator Leahy. The dog ate them?
Mr. DiFFiE. I frankly don't know. I went back to pick up my
notes and I can't find them.
Senator Leahy. Would you like some more time?
Mr, DiFFlE. No, no; that is fine. Thank you. Maybe this will
make up in fi-eshness for what it lacks in preparation.
I want to thank you, to start with, for inviting me to this. This
is sort of appropriate. You introduced me as the inventor of the
concept of public key cryptography. I did it working with Marty
Hellman at Stanford University nearly 20 years ago, and the con-
cept we introduced that is, in fact, in the TSD 3600 over there in
some sense created this whole problem because prior to that all
cryptographically secure networks required a central administra-
tion that actually had the power to decrypt traffic. It had to hold
keys in order to make introductions that would allow it to decrypt
traffic, and the techniques that we had the privilege of pioneering
have allowed systems like this in which the phones negotiate di-
rectly with each other and no third party is able to read the traffic.
So I guess I deserve whatever happens.
Subsequently, I went to Northern Telecom. I say this just to em-
phasize that I have had some experience with communications se-
curity in the telecommunications environment. After a 12 years of
that, I came to Sun Microsystems and I am now very involved with
Internet and Internet sort of security and things of that kind.
I have three things I was asked to comment on, and let me try
to get through them rather quickly. I view this from a broad per-
spective. I try not to get tied up in individual issues of this network
of programs that are being proposed — the Clipper, the Capstone,
the Digital Telephony bill, and the Digital Signature.
I believe there is a fundamental issue here of whether we should
be using the power of technology to increase the privacy of citizens
or to expand the power of the government, and I accept the legit-
imacy of that power in a lot of cases, to use electronic surveillance
against its citizens and against other people.
I think there has been a lot of what I would call irresponsible
comment to the effect that cryptography represents something new,
it represents some sort of absolute privacy, and since this new
thing has appeared, it needs to be regulated.
I think if you look back to the era of the Bill of Rights, you will
see that at that time any two people could have a private conversa-
tion merely by having the common sense to walk 100 yards off
away from people. They would know there were no tape recorders,
no shotgun microphones, and they would be having a private con-
versation. Nobody in the world today has that assurance. If you are
talking on a secure phone, if you are talking in a secure conference
room, you are depending on the cooperation of hundreds of people
who built and maintain those systems.
So individuals can no longer achieve privacy in the way they
could then, and the impact of this — ^the credible impact, I believe,
for our democracy is that the integrity of political speech, which
frequently means the privacy of political speech, is something that
is, in the Madisonian view, the root of the legitimacy of laws in a
democracy.
35
I think that with the progress of technology, what has happened
is that we are in a position where if we do not make it a national
priority to protect individual privacy, to guarantee that when indi-
viduals want privacy they can have it, we will have an ebbing away
of the privacy that is essential to the democratic process.
Now, since we are short of time here, let me turn quickly — it is
a rare privilege to speak on an issue where it seems that matters
of conscience and matters of business go side by side. Sun
Microsystems does about half its business outside the country and
we are proud to be part of what we regard as building the infra-
structure of the future information society, and that infrastructure
will, in particularly, be the infrastructure that will support the
commerce of the future.
The infrastructure of commerce has always required security.
Ships' holds, warehouses, bills of lading — all of this is the classical
security machinery of commerce, and if we are going to have the
promise that the information society offers, we are going to need
to have international standards for security. They can't be some-
thing that are weighted to try to give particular advantages to par-
ticular governments, particular agencies, et cetera.
My final point — I was asked to comment on alternatives, and I
see that light has turned yellow, which means I should be turning
yellow, I suppose.
Senator Leahy. No, no; don't worry about it. They give me some
latitude around here, so go ahead. [Laughter.]
Mr. DiFFiE. I have been asked to speak on alternatives to this
matter, and I think you can't speak about alternatives without ask-
ing first whether there is a problem and what the problem is, and
therefore what the various possible solutions are.
In looking at the evidence that has been presented before this
committee and other places for either the problems of law enforce-
ment or intelligence, I don't find the evidence compelling. There is
no question that particular sources of intelligence get closed off
from time to time, but if you look at technical intelligence and par-
ticular technical law enforcement facilities, you will find they are
growing by leaps and bounds.
In electronic surveillance, warrants — I haven't been able to get
the exact percentage that are, so to speak, room bugs and the per-
centage that are taps, but I know that in many of these cases tradi-
tional bugging accounts for a good deal of the information, and
bugs are getting smaller, higher fidelity, harder to detect, et cetera.
If you similarly look at intelligence, you find that electronic intel-
ligence is expanding dramatically, and the reason is that improved
particularly radio and mobile communication channels draw far
more valuable traffic into vulnerable channels than ever is pro-
tected by the introduction of technical measures. I don't know if
that will go on forever, but it has been progressing steadily for dec-
ades now.
On the other hand, one can say that, in fact, alternatives to this
will come about of their own accord. If you look at cryptography as
a security measure, you have no choice but to distinguish two
cases, communications and storage.
Now, in communications the view is that the communications are
ephemeral. You don't try to save your own cipher text. You don't
36
worry about having to get it back if the keys to a conversation are
lost later. As a matter of fact, you particularly want them to go
away. Senator Specter mentioned the various spy scandals and
things, and worrying about keeping things secret. In fact, the two
most dramatic spy scandals prior to Ames in our own recent his-
tory were both cryptographic spies who kept keying material after
they were supposed to have destroyed it and then sold it to the
KGB.
The advantage of a device like the original TSD 3600 or the
STU-III is that it creates ephemeral keys that exist only for the
duration of one conversation and then are destroyed when the con-
versation ends and cannot be rederived from any of the surviving
information. On the other hand, to create escrow agents, no matter
how carefully constructed, is to create keys that stay in existence
for months or years or decades after the conversations that they
protected, and that is to create a potential loophole of immense pro-
portions.
On the other hand, if you look at cryptography to protect storage,
then you have no choice at an3rthing above the individual level but
to provide alternative mechanisms of access to the information. If
a corporation were to keep its records encrypted — and there would
be many benefits to that; that would mean it could ship them out
over the Internet to storage sites so that if its headquarters burned
down it would be able to get them back immediately. It would
nonetheless have to be sure that somebody other than one archivist
or one controller or something like that had the keys that protected
this information. There would have to be alternative mechanisms
that would be under the control of the corporate officers and they
would provide them
Senator Leahy, They go through some of those same questions
about who has the keys even now in storing information in elec-
tronic files because you at least need a password to get into that
file.
Mr. DiFFlE. Yes, although typically less things are being done
cryptographically. Almost by definition, there are other ways other
than passwords to get around them.
Senator Leahy. It gives you a trap door.
Mr. DiFFiE. Well, we don't usually think of it that way. It is just
sort of a normal maintenance matter that if you take the machine
apart, then you get at the information in other ways.
Since I am aware of time, let me sum up by saying that suppose
we make a mistake in this decision; then there are two ways we
can make the mistake. We can either fail to adopt a key escrow
system now and when one is perhaps necessary, or we can adopt
a key escrow system when one is, in fact, not necessary. Which of
those mistakes would be worse?
My own view is that if we fail to adopt one this year — this talk
of getting out ahead of the curve, and so forth, is really not very
much to the point. Given that the life cycle of electronic equipment
is rather short — devices like that, people expect to replace every 2,
3, 5, or 7 years. If this market domination strategy for introducing
new cryptographic equipment that has this back door built into it
is taken up at any time — if it can succeed at all, it will succeed in
a few years.
37
On the other hand, suppose we do adopt something, despite all
its controls that I believe are very dangerous to the process of de-
mocracy and that represents a statement, in principle, somehow for
the first time that people don't really have a right to have con-
fidence in the measures they take to protect their own communica-
tions. Then I believe we will run the risk of building a bureaucracy
that is now defending this new power that it has gotten, and that
that would be very difficult to dislodge even if we subsequently de-
cided it had been a bad idea.
Thank you very much.
[The prepared statement of Whitfield Diffie follows:]
Prepared Statement of Dr. Whitfield Diffie
I would like to begin by expressing my thanks to Senator Leahy, the other mem-
bers of the committee, and the committee staff for the opportunity not only of ap-
pearing before this committee, but of appearing in such distinguished company.
I think it is also appropriate to say a few words about my experience in the field
of communication security. I first began thinking about cryptography while working
at Stanford University in the late summer of 1972. My feeling was that cryptog-
raphy was vitally important for personal privacy and my goal was to make it oetter
known. I am pleased to say that if I have succeeded in nothing else, I have achieved
that goal. Toaay, cryptography is a bit better known. In 1978, I walked through the
revolving door from academia to industry and for a dozen years was "Manager of
Secure Systems Research" at Northern Telecom. In 1991, I took my present position
with Sun Microsystems. This has allowed me an inside look at the problems of com-
munication security from the viewpoints of both the telecommunications and com-
puter industries. I am also testifying today on behalf of the Digital Privacy and Se-
curity Working Group, a group of more than 50 computer, communications and pub-
lic interest organizations and associations dedicated to working on communications
privacy issues.
THE KEY ESCROW PROGRAM
Just over a year ago, the Administration revealed plans for a program of key es-
crow technology best known by the name of its flagship product the Clipper chip.
The program's objective is to promote the use of cryptographic equipment incor-
porating a special back door or trap door mechanism that will permit the Federal
Government to decrypt communications without the knowledge or consent of the
communicating parties when it considers this necessary for law enforcement or in-
telligence pvu*poses. In effect, the privacy of these communications will be placed in
escrow witn the Federal Government.
The committee has asked me to address myself to this proposal and in particular
to consider three issues:
• Problems with key escrow, particularly in the area of privacy.
• The impact of the key escrow proposal on American business both at home and
abroad.
• Alternatives to key escrow.
ON SCOPE AND PERSPECTIVE
The problems of today are usually best viewed in historical perspective. A century
ago, the world witnessed the development of the first global telecommunications sys-
tems, with the appearance of transoceanic cables and later radio. The new tech-
nology posed an unprecedented challenge to national sovereignty. Countries could
still control the movement of people and goods across their borders, but ideas and
information could now move around the world without being subject to the scrutiny
of customs or immigration officials.
The challenge, of^course, is one that the notion of national sovereignty and nation
state survived. In part this is due to the rise of mechanisms of censorship and regu-
lation to control the new media. In part it is due to the fact that telecommunications
1 Dr. Diffie is also testifying on behalf of the Digital Privacy and Security Working Group, a
group of more than 50 computer, communications and public interest organizations and associa-
tions working on communications privacy issues.
38
proved tremendously useful to governments themselves. The new tool was promptly
exploited by the European colonial powers, particularly Britain, to bind tneir em-
pires more tightly together than had ever been possible in the past.
Telecommunications transformed government, giving admimstrators real time ac-
cess to their representatives in remote parts of the world. It transformed commerce,
facilitating world wide enterprises and beginning the internationalization of busi-
ness that nas become the byword of the present decade. It transformed warfare bv
giving generals the abiUty to operate from the relative safety of rear areas and ad-
mirals the capacity to control fleets scattered across oceans.
Once again, we are in the midst of a revolution in telecommunications technology
and once again we hear the warning that national security, and perhaps even na-
tional sovereignty, are in danger. As the most powerful country in the world and
the country whose welfare is the most dependent on both the security of its own
communications and its success in communications intelligence, the United States
confronts this challenge most directly.
In the course of discussing the key escrow program over the past year, I have
often encountered a piecemeal viewpoint that seeks to take each individual program
at face value and treat it independently of the others. I believe, on the contrary,
that it is appropriate to take a broad view of the issues. The problem confronting
us is assessing the advisability and impact of key escrow on our society. This re-
quires examining the effect of private, commercial, and possibly criminal use of
cryptography and the advisability and effect of the use of communications intel-
ligence techniques by law enforcement. In so doing, I will attempt to avoid getting
bogged down in the distinctions between the Escrowed Encryption Standard
(FIPS185) with its orientation toward telephone communications and the CAP-
STONE/TESSERA/MOSAIC program with its orientation toward computer net-
works. I will treat these, together with the Proposed Digital Signature Standard and
to a lesser extent the Digital Telephony Proposal, as a unified whole whose objective
is to maintain and expand electronic interception for both law enforcement and na-
tional security purposes.
PRIVACY PROBLEMS OF KEY ESCROW
When the First Amendment became part of our constitution in 1791, speech took
place in the streets, the market, the fields, the offic^, the bar room, the bedroom,
etc. It could be used to express intimacy, conduct business, or discuss politics and
it must have been recognized that privacy was an indispensable component of the
character of many of these conversations. It seems that the right — in the case of
some expressions of intimacy even the obligation — of the participants to take meas-
ures to guarantee the privacv of their conversations can hardly have been in doubt,
despite the fact that tne right to speak privately could be abused in the service of
crime.
Today, telephone conversations stand on an equal footing with the venues avail-
able then. In particular, a lot of political speech — from friends discussing how to
vote to candidates planning strate^ with tneir aids — occurs over the phone. And,
of all the forms of speech protected by the first amendment, political speech is fore-
most. The legitimacy of the laws in a democracy grows out of the democratic proc-
ess. Unless the people are free to discuss the issues — and privacy is an essential
component of many of these discussions — that process cannot take place.
There has been a very important change in two hundred years, however. In the
seventeen-nineties two ordinary people could achieve a high degree of security in
conversation merely by the exercise of a Uttle prudence and common sense. Giving
the ordinary person comparable access to privacy in the normal actions of the world
today requires the ready availability of complex technical equipment. It has been
thoughtlessly said, in discussions of cryptographic policy, that cryptography brings
the unprecedented promise of absolute privacy. In fact, it only goes a short way to
make up for the loss of an assurance of privacy that can never be regained.
As is widely noted, there is a fundamental similarity between the power of the
government to intercept communications and its ability to search premises. Rec-
ognizing this power, the fovuth amendment places controls on the government's
power of search and similar controls have been placed by law on the use of wiretaps.
There is, however, no suggestion in the fourth amendment of a guarantee that the
government will find what it seeks in a search. Just as people have been free to
firotect the things they considered private, by hiding them or storing them with
riends, they have been free to protect their conversations from being overheard.
The iU ease that most people feel in contemplating police use of wiretaps is rooted
in awareness of the abuses to which wiretapping can be put. Unlike a search, it is
so unintrusive as to be invisible to its victim and this inherently undermines ac-
39
countability. Totalitarian regimes have given us abundant evidence that the use of
wiretaps and even the fear of their use can stifle free speech. Nor is the political
use of electronic surveillance a strictly foreign problem. We have precedent in con-
temporarv American history for its use by the party in power in its attempts to stay
in power?
The essence of the key escrow program is an attempt use the buving power and
export control authority of government to promote standards that will deny ordinary
people ready options for true protection of their conversations. In a world where
more and more communication take place between people who frequently can not
meet face to face, this is a dangerous course of action.
OTHER DIFFICULTIES OF THE PRESENT PROPOSAL
The objections raised so far apply to the principle of key escrow. Objections can
also be raised to details of the present proposal. These deal with the secrecy of the
algorithm, the impact on security of the escrow mechanism, and the way in which
the proposal has been put into effect.
One objection that has been raised to the current key escrow proposal is that the
cryptographic algorithm used in the Clipper Chip is secret and is not available for
public scrutiny. Ont counter to this objection is that the users of cryptographic
equipment are neither qualified to evaluate the quality of the algorithm nor, with
rare exceptions, interested in attempting the task. In a fundamental way, these ob-
jections miss the point.
Within the national security establishment, responsibility for communication secu-
rity is well understood. It rests with NSA. Outside of that establishment, particu-
larly in industry, that responsibility is far more defuse. Individual users are not
typically concerned with the ftinctioning of pieces of equipment. They acquire trust
through a complex social web comprising standards, corporate security officers, pro-
fessional societies, etc. A classified standard foisted on the civilian sector will have
only one element of this process, federal endorsement.
In explaining the rationale behind key escrow at the 1993 National Computer Se-
curity Conference, CUnt Brooks of NSA, argiaed that key escrow was not a trap door,
reserving that term for a more mathematical approach in which the algorithm is
not kept secret. Brooks held that this idea had been rejected on the grounds that
the trap door could be found and exploited by opponents. Ironically, a similar weak-
ness lurks within the escrow approach, because the cost to an opponent of extracting
the family key and unit key of a chip from the chips communications is only margin-
allv greater than the cost of extracting the key for an individual message.
Finally, there are disturbing aspects to the development of the key escrow FIPS.
Under the Computer Security Act of 1987, responsibility for security of civilian com-
munications rests with the National Institute of Standards and Technology. Pursu-
ant to this statute, the Escrowed Encryption Standard appeared as Federal Informa-
tion Processing Standard 185, under the auspices of the Commerce Department. Ap-
parently, however, authority over the secret technology underlying the standard and
the documents embodying this technology, continues to reside with NSA. We thus
have a curious arrangement in which a Department of Commerce standard seems
to be under the effective control of a Department of Defense agency. This appears
to violate at least the spirit of the Computer Security Act and strain beyond credi-
bility its provisions for NIST's making use of NSA's expertise.
IMPACT ON BUSINESS
Business today is characterized by an unprecedented freedom and volume of trav-
el by both people and goods. Ease of communication, both physical and electronic,
has ushered in an era of international markets and multinational corporations. No
country is large enough that its industries can concentrate on the domestic market
to the exclusion of all others. When foreign sales rival or exceed domestic ones, the
structure of the corporation follows suit with new divisions placed in proximity to
markets, materials, or labor.
Security of electronic communication is as essential in this environment as secu-
rity of transportation and storage have been to businesses throughout history. The
communication system must ensure that orders for goods and services are genuine,
guarantee that payments are credited to the proper accounts, and protect the pri-
vacy of business plans and personal information.
Two new factors are making security both more essential and more difficult to
achieve. The first is the rise in importance of intellectual property. Since much of
what is now bought and sold is information varjdng from computer programs to sur-
veys of customer buying habits, information security has become an end in itself
rather than just a means for ensuring the security of people and property. The sec-
40
ond is the rising demand for mobility in communications. Traveling corporate com-
puter users sit down at workstations they have never seen before and expect the
same environment that is on the desks in their offices. They carry cellular tele-
phones and communicate constantly by radio. They haul out portable PCs and dial
their home computers from locations around the globe. With each such action they
expose their information to threats of eavesdropping and falsification barely known
a decade ago.
Because this information economy is relentlessly global, no nation can successfully
isolate itself from international competition. The communication systems we build
will have to be interoperable with those of other nations. A standard based on a
secret American technology and designed to give American inteUigence access to the
communications it protects seems an unlikely candidate for widespread acceptance.
If we are to maintain ovu- leading position in the information market places, we
must give our full support to the development of open international security stand-
ards that protect the interests of all parties fairly.
POTENTIAL FOR EXCESSIVE REGULATION
The key escrow program also presents the spectre of increased regulation.
FIPS185 states that "Approved implementations may be procured by authorized or-
ganizations for integration into security equipment." This raises the question of
what organizations will be authorized and what requirements will be placed upon
them? Is it likely that people prepared to require that surveillance be built into com-
munication switches would shrink from requiring that equipment make pre-
encryption difficult as a condition for getting "approved implementations'? Such re-
quirements have been imposed as conditions of export approval for security equip-
ment. Should industry's need to acquire tamper resistant parts force it to suomit
to such requirements, key escrow wUl usher in an era of unprecedented regulation
of American development and manufacturing.
ALTERNATIVES TO KEY ESCROW
It is impossible to address the issue of alternatives to key escrow, without asking
what, if any, is the problem.
In recent testimony before this committee, the FBI has portrayed communications
interception as an indispensable tool of police work and argued that the utility of
this tool is threatened by developments in modern communications. Unfortunately,
this testimony uses the broader term "electronic surveillance" almost exclusively. Al-
though it refers to a number of convictions, it names not a single defendant, court,
or case. This raises two issues: the effectiveness of electronic surveillance in general
and that of communications interception in particular.
It is easier to believe that the investigative and evidential utility of wiretaps is
rising that to believe it is falling. This is partly because criminals, like everyone
else, does more talking on the phone these days. It is partly because modem sys-
tems Uke provide much more information about a call, telling you where it came
from in real time even when it is from a long way away.
With respect to other kinds of electronic surveillance, the picture looks even
brighter. Miniaturization of electronics and improvements in digital signal process-
ing are making bugs smaller, improving their fidelity, making them harder to de-
tect, and making them more reliable. Forms of electronic surveillance for which no
warrant is held to be necessarily, particularly TV cameras in public places, have be-
come widespread. This creates a base of information that was, for example, used in
two distinct ways in the Tylenol poisoning case of some years back.
Broadening the consideration of high tech crime fighting tools to include vehicle
tracking, DNA fingerprinting, individual recognition by infrared tracing of the veins
in the face, and database profiUng, makes it seem unlikely that the failures of law
enforcement are due to the inadequacy of its technical tools.
If we turn our attention to foreign intelligence, we see a similar picture. Commu-
nications intelligence today is enjoying a golden age. The steady migration of com-
munications fi-om older, less accessible, media, both physical and electronic, has
been the dominant factor. The loss of information resulting from improvements in
security has been consistently outweighed by the increased volume and quahty of
information available. As a result, the communications intelligence product has been
improving for more than fifl;y years.
The situation, furthermore, is improving. The rising importance of telecommuni-
cations in the life of industrialized countries coupled with the rising importance of
wireless communications, can be expected to give rise to an intelligence bonanza in
the decades to come.
41
Mobile communication is one of the fastest growing areas of the telecommuni-
cations industry and the advantages of cellular phones, wireless local area net-
works, and direct satellite communication systems are such that they are often in-
stalled even in applications where mobility is not required. SateUite communications
are in extensive use, particularly in equatorial regions and cellular telephone sys-
tems are being widely deployed in rural areas throughout the world in preference
to undertaking the substantial expense of subscriber access wiring.
New technologies are also opening up new possibilities. Advances in emitter iden-
tification, network penetration techniques, and the implementation of cryptanaljrtic
or crypto-diagnostic operations within intercept equipment are likely to provide
more new sources of intelligence than are lost as a result of commercial use of cryp-
tography.
It should also be noted that changing circumstances change appropriate behavior.
Although intelligence continues to play a vital role in the post cold war world, the
techniques that were appropriate against an opponent capable of destroying the
United States within hours may not be appropriate against merely economic rivals.
If, however, that we accept that some measure of control over the deployment of
cryptography is needed, we must distinguish two cases:
• The use of cryptography to protect communications and
• The use of cryptography to protect stored information.
It is good security practice in protecting communications to keep any keys that
can be used to decipher the communications for as short a time as possible. Discov-
eries in cryptography in the past two decades have made it possible to have secure
telephones in which the keys last only for the duration of the call and can never
be recreated, thereafter. A key escrow proposal surrenders this advantage by creat-
ing a new set of escrowed keys that are stored indefinitely and can always be used
to read earlier traffic.
With regard to protection of stored information, the situation is quite different.
The keys for decrypting information in storage must be kept for the entire lifetime
of the stored information; if they are lost, the information is useless. An individual
might consider encrypting files and trusting the keys to memory, but no organiza-
tion of any size coiild risk the bulk of its files in this fashion. Some form of key
archiving, backup, or escrow is thus inherent in the use of cryptography for storage.
Such procedures will guarantee that encrypted files on disks are accessible to sub-
poena in much the same way that file on paper are today.
In closing, I would like to as which would be the more serious mistake: adopting
a key escrow system that we do not need or fail to move quickly enough to adopt
one that we do.
It is generally accepted that rights are not absolute. If private access to high-
grade encryption presented a clear and present danger to society, there would be
Uttle political opposition to controlling it. The reason there is so much disagreement
is that there is so little evidence of a problem.
If allowing or even encouraging wide dissemination of high-grade cryptography
proves to be a mistake, it is likely to be a correctable mistake. Generations of elec-
tronic equipment follow one another very quickly. If cryptography comes present
such a problem that there is a popular consensus for regulating it, this will be just
as possible in a decade as it is today. If on the other hand, we set the precedent
of bmlding government surveillance capabilities into our security equipment we risk
entrenching a bureaucracy that will not easily surrender the power this gives.
Notes:
I have treated some aspects of the subjects treated here at greater length in other testimony
and comments and copies of these have been made available to the committee.
'The Impact of Regulating Cryptography on the Computer and Communications Industries"
Testimony Before the House Subcommittee on Telecommunications and Finance, 9 June 1993.
"The Impact of a Secret Cryptographic Standard on Encryption, Privacy, Law Enforcement
and Technology" Testimony Before the House Subcommittee on Science and Technology, 11 May
1993.
Letter to the director of the Computer Systems Laboratory at the National Institute of Stand-
ards and Technology, commenting on the proposed Escrowed Encryption Standard, 27 Septem-
ber 1993.
Senator Leahy. Thank you,
Mr. Walker, we had earlier the question asked of, the Justice De-
partment whether you could use other encrjrption devices for voice
communications through our computers. The answer was some-
42
what different than I had expected. I will turn it to you and let you
do your own testimony.
STATEMENT OF STEPHEN T. WALKER
Mr. Walker. Thank you very much, Mr. Chairman. My name is
Steve Walker and I am the founder and President of Trusted Infor-
mation Systems, an 11-year old computer security company. Before
I started TIS, I had spent 22 years with the Defense Department
at the National Security Agency, the Advanced Research Projects
Agency, and the Office of the Secretary of Defense.
Before we get to the demo of an alternative to the answer that
you got from the Justice Department, I would like to make a few
comments and then move to the demo.
Senator Leahy. Sure.
Mr. Walker. I am opposed to the key escrow cryptography as
proposed by the administration's Clipper initiative. I believe that
any government program that is as potentially invasive of the pri-
vacy rights of American citizens as key escrow is should only be
imposed after careful review by the Congress and the passage of
legislation, legislation that is signed by the President and, if nec-
essary, declared constitutional by the Supreme Court.
In 1968, we went through a very painful process of authorizing
wiretaps under very stringent conditions, and I believe that the
government imposition of key escrow procedures deserves no less
careful consideration. I believe that many Americans will accept
government-imposed key escrow if it is established through law
and if the holder of the keys is in the judiciary branch of the gov-
ernment. But without such action, I suspect most Americans will
remain firmly opposed to Clipper.
I am concerned that there appears to be very little business case
for the administration's assertions that key escrow will maintain
law enforcement's ability to wiretap criminals. I fear that, as pres-
ently being pursued, the Clipper initiative will be an expensive pro-
gram that will yield few, if any, results.
I am actually angered that the government's fixation on law en-
forcement and national security interests has delayed the estab-
lishment of a digital signature standard for over 12 years and done
considerable harm to the economic interests of the United States.
Mr. Kammer talked about a digital signature standard and how
important it was, but, in fact, because of the fixation on the inter-
ests of law enforcement and national security, we don't have one
when we could have had it 12 years ago.
I am also opposed to continued imposition of export controls on
products that employ cryptography that are already routinely
available throughout the world, as we will discuss here in a mo-
ment. The only effects that these controls are having is to deny
U.S. citizens and businesses protection of their own sensitive infor-
mation from foreign and domestic industrial espionage, and to
place U.S. information system producers at a severe disadvantage
in a rapidly growing market. I also wish to say, and I am sorry
Senator Murray is not here, that I very strongly support her bill,
S. 1846, and Maria Cantwell's bill, H.R. 3627, in their attempts to
alleviate this export control problem.
43
I was very pleased when Ray Kammer brought in the Clipper
TSD and demonstrated it because I wanted to talk just for a
minute about how we got into this mess, the Clipper mess, in some
sense. This is the culprit that began it. This is a TSD that looks
very much like the one that you used a few minutes ago, except
at the end of the TSD 3600 there is a "D." This device was initially
announced back in September 1992 by AT&T, with some public-
ity— two-page ads in Business Week and elsewhere — and it has
DES in it. In some very real sense, it was the introduction of this
device that caused NSA and the FBI to go into a flurry to try to
find an alternative.
In January 1993, AT&T began shipping these devices. I got eight
of them at that time, but they told us they were only on loan. You
couldn't buy them, and they promised us there would be something
better in April. This was in 1993. In April, when the administra-
tion announced the Clipper initiative, the same day AT&T pledged
their support for it. Unfortunately, Clipper Chips were not ready
and so AT&T cooled its heels.
Then very quietly, in August 1993, yet another device was intro-
duced. This is the 3600 P. It has a proprietary algorithm in it, pro-
prietary to AT&T. We don't know what its quality is relative to
DES, but it can't be exported, so it must be pretty good.
These devices have been on sale — I bought this one from AT&T —
since last August and they are now selling both the Clipper device
that has an "E" after the 3600 for "escrow," presumably, and the
P device to the marketplace. When you ask them what are their
thoughts on this, they say, well, let's let the market decide what
it wants. So part of the discussion this morning that you have al-
ready had about are people going to buy the 3600 escrow device —
there already is an alternative that they can pick and let the mar-
ket, in fact, decide.
In the interests of time, I have done a quick market analysis
which I won't spend time on. I asked AT&T how many TSD's they
expected to sell and I was told by one individual they expected to
sell about as many as the STU-III's that are out there, the very
popular classified phone systems. There are about 250,000 of those
out there, and if you look at the chart comparing the number of
wiretaps that are anticipated and the 500 million phones that are
in the United States now, my estimate — and I basically challenge
the administration to produce some contrary numbers that show I
am wrong. If there are 250,000 such devices sold, there will be 2.5
key escrow calls intercepted each year. If the $16 million estimate
for operating the key escrow centers is amortized across that, each
one of those calls will cost $6.4 million.
Now, if the numbers are wrong, if we increase it by a factor of
10 or a factor of 100, when we get to the point where we have 25
million of these devices, 1 on every 20 telephones, we are still only
going to get a key escrow call every IV2 days and it is still going
to cost $64,000 for that call, which is twice the price of a current
wiretap that doesn't involve cryptography.
I would like to switch for a moment to the export control situa-
tion just to emphasize the things that we have here on the side.
The administration has asserted that export controls are not harm-
ful to U.S. business because there are no commercially available
44
foreign products involving cryptography. Last year, the Software
Publishers Association commissioned a study to look at this issue
and we have our latest results over in this chart.
We have now found over 340 foreign products that involve cryp-
tography coming from 22 countries around the world. One hundred
fifty-five of these use DES and 70 of them at least use it with soft-
ware. We have been able to purchase products from the companies
listed on the bottom there and those are on display. The notebooks
that we have there contain the product literature that we have on
each of the products that are there. It is arguable that this is not
an overwhelming number that we have found, but it certainly ap-
pears more significant than many people have suspected.
Another thing that we have found from our survey, though, that
is frightening to me, at least, and to U.S. businesses is that those
products that we obtained are DES software products. We got them
from Australia, Denmark, Finland, Germany, Israel, Russia and
the United Kingdom. We got them without any trouble at all. In
many cases, these people have distributors around the world, some-
times in the United States. You can call a German company on an
800 number. Somebody in Connecticut answers it, and you will
have a DES software product on your desk the next day. We cannot
ship those back. We would be in complete violation of U.S. export
laws.
The issue here is that it is not a level playing field. Our allies,
our friends, in England and in Germany are routinely shipping
products like this to us which we can't ship to them, and that is
a very grave concern and why I have particular support for the
Senator Leahy. So if you were an American company with
branches overseas and you wanted to use this, you would have the
branches overseas buy the product from the source overseas and
then ship to you the product that you would use back here?
Mr. Walker. Well, if it was my company overseas, my subsidi-
ary, I can get approval from the State Department. It takes about
6 months to do that, but you are right.
Senator Leahy. Yes; I understand that. I am talking about a
multinational.
Mr. Walker. Multinational companies are routinely buying prod-
ucts from foreign sources. In my written testimony, I have several
examples. A company called Semaphore in California listed about
15 examples of lost sales recently that they have encountered, and
everyone has these experiences. Fortune Magazine this month has
a two-page article in which the president of Sun and other compa-
nies talk about how serious this problem is and how little good it
is doing anyone.
Senator Leahy. The laptops that we are going to use in your
demonstration didn't come with encryption capability already pro-
grammed in them, did they?
Mr. Walker. No; they did not.
Senator Leahy. Was it very difficult to add the DES program to
it?
Mr. Walker. No; the gentleman who did it is sitting behind me.
It took him about a day to add it. Basically, if you wish, sir — ^yours
looks like it is in working order there.
45
Senator Leahy. The computer is in working order. That doesn't
necessarily mean that I am going to know what I am doing with
it.
Mr. Walker. Well, it is going to be easy. I will explain it to you,
sir.
Senator Leahy. I have got the cursor on "talk" right now.
Mr. Walker. Don't hit yet.
Senator Leahy. I mean, it is so tempting. My hand is just twitch-
ing here.
Mr. Walker. OK; go ahead. It is all right.
Senator Leahy. No, no, I am not going to. Go ahead, go ahead.
Mr. Walker. It is all right if you would like to do that.
These are basically Macintosh PowerBooks. They are actually
last year's models. If we had had this year's models, it would run
a little bit faster. This is a program that is available for about $70
from a company called Two Way Communications in San Diego,
CA. It is routinely available to anybody who wants it. These
laptops have built into them speakers and microphones, and there-
fore they have the ability to handle multimedia communications of
all sorts.
Basically, what we did was obtain this piece of software from the
San Diego Company which, incidentally, is written by a program-
mer in Moscow. That has nothing to do with the cryptography at
all, just an indication of the worldwide nature of all of this. It has
on it a button called "talk" which, if you hit the cursor, will allow
you to talk to me. If you would like to do that, go ahead.
That is working.
Senator Leahy. OK; now, it says "stop." Is that OK?
Mr. Walker. Yes; when you are activating it, it will then give
you the opportunity to turn it off by hitting the "stop" button. Now,
if you notice down below there is a little button called "encrypt
sound" just below the "talk" button. It is a little square.
Senator Leahy. Yes.
Mr. Walker. If you will just move the cursor down and press
that, sir?
Senator Leahy. Got it.
Mr. Walker. Now, you are speaking to me in DES encrypted
communications.
Senator Leahy. All right.
Mr. Walker. It doesn't sound any different than it did before.
Senator Leahy. No. I am just going to adjust my volume here a
little bit.
Mr. Walker. The volume needs to be adjusted in the room.
Senator Leahy. So, now, is the sound going through, encrypted
at your end?
Mr. Walker. Well, no. It is in the clear at my end.
Senator Leahy. I mean, it is encrypted between here and where
you are.
Mr. Walker. Yes; if you would hit the "stop" button, then I will
talk through you and be able to indicate to you how it would sound
if you were intercepting this.
Senator Leahy. I just hit the "stop" button.
Mr. Walker. OK; now, I will turn mine on. The reason we do
this one way right now — I mean, one at a time — is because of the
46
lack of power in these laptop computers. If we had PC's sitting
here, then it would be much better.
Now, I am going to hit the "encrypt" button. Now, I am speaking
to you encrypted. Can you hear me or do we need to adjust the
Senator Leahy. No; I can hear it.
Mr. Walker. We are getting feedback through the speaker sys-
tem, I am afraid. Now, if I decided I didn't want you to hear what
I was doing anymore, I could hit the "encrypt" button again. This
is what you would hear if you had the wrong key. I will turn it off
so that we don't have to do that again. This is the same thing that
they talked to us about with the tape that they were playing where
you hear the white noise.
Essentially, all I did was change the key that I am using, and
you didn't know what the key was and so what you heard was
noise. So if you were somewhere out on the net intercepting this,
that is what you would get if we didn't have the same key.
Basically, that is the demo. It is that laptop computers can be
used as telephones or as communications vehicles over the Internet
or anywhere else on a routine basis. This stuff is available right
now, and adding cryptography to it was fairly trivial. It took a day
or so to find where to put it in here and then just take DES from
anywhere in the world and plug it in. The effect on you and me
hearing this is, in fact, no different when it is encrypted than when
it is not.
I will turn mine off. You can turn it back on if you would like.
Senator Leahy. I hit "stop." I think I am off.
Mr. Walker. I can hear you now.
Senator Leahy. You can?
Mr. Walker. Yes.
Senator Leahy. Now, what do I do to turn this sucker off en-
tirely?
Mr. Walker. You just hit the "stop" button and close the top.
The point of this is not that there is any magic here; in fact, that
there isn't any magic here.
Senator Leahy. But it also makes a point I asked earlier in the
hearing of is it possible to just set this up with a commercial
encryption program.
[Stephen T. Walker submitted the following materials:]
Prepared Statement of Stephen T. Walker
I am pleased to testify today about the concerns I share with many Americans
about the Administration's Clipper Initiative and the negative impact that U.S. ex-
port control regulations on cryptography are having on U.S. national economic inter-
ests.
My name is Stephen T. Walker. I am the founder and President of Trusted Infor-
mation Systems (TIS), Inc., an eleven year old frnn with over 100 employees. With
offices in Meiryland, California, and England, TIS specializes in research, product
development, and consulting in the fields of computer and communications security.
My background includes twenty-two years as an employee of the Department of
Defense, the National Security Agency (NSA), the Advanced Research Projects
Agency, and the Office of the Secretary of Defense. During my final three years in
government, I was the Director of Information Systems for the Assistant Secretary
of Defense for Communications, Command, Control, and Intelligence (C3I).
For the past three years, I have been a member of the Cornputer System Security
and Privacy Advisory Board, chartered by Congress in the Computer Security Act
of 1987 to advise the Executive and Legislative Branches on matters of national con-
cern in computer security. In March 1992, the Board first called for a national re-
47
view of the balance between the interests of law enforcement/national security and
those of the pubUc regarding the use of cryptography in the United States. The
Board has been heavily involved in this review, receiving public input on the Ad-
ministration's CUpper initiative, announced by the President on April 16, 1993, and
reaffirmed on February 4, 1994. I am also a member of the National Institute of
Standards and Technology's (NIST) Software Escrowed Encryption Working Group,
which is examining the possibihties for alternatives to the CUpper key escrow sys-
tem.
OVERVIEW
My testimony today will include my concerns with the Administration's Clipper
key escrow program and U.S. Government's rigid control of the export of products
containing cryptography in the face of growing worldwide availabihty and easy ex-
port of such products by other countries. In Summary:
I am opposed to key escrow cryptography as proposed in the Administration's
CUpper Initiative.
I beUeve that any government procedure that is as potentiaUy invasive of the
privacy rights of American citizens as key escrow should only be imposed after
careful Congressional consideration and passage of legislation by the Congress,
which is signed into law by the President and determined to be Constitutional
by the Supreme Court. In 1968, properly authorized government wiretaps of pri-
vate citizens were legaUzed through this process. Government imposition of key
escrow procedures deserves no less careful consideration.
I beUeve that most Americans wovild accept government-imposed key escrow
if it was established by law and if the key escrow center was located in the Ju-
dicial Branch of government.
I am concerned that there is not a sound "business" case to support^ the Ad-
ministration's assertion that key escrow will maintain law enforcement's ability
to wiretap the communications of criminals. I fear that as presently being pur-
sued, the CUpper Initiative will be an expensive program that will yield few if
any results.
I am angered that the government's fixation on law enforcement and national
security interests has delayed estabUshment of a Digital Signature Standard
(DSS) for over twelve years and done considerable harm to the economic inter-
ests of the United States.
I am also opposed to the continued imposition by the U.S. Government of ex-
port controls on products and technologies employing cryptography that are rou-
tinely available throughout the world. The only effects these controls have are
to deny U.S. citizens and businesses protection for their sensitive information
from foreign and domestic industrial espionage and to place U.S. information
system products at a disadvantage in the rapidly growing international market-
place.
A PATTERN OF ADMINISTRATION INITIATIVES
A number of recent Administration initiatives have heightened the concerns of
many Americans:
• The digital telephony initiative, in which the government wants to ensure that
it can always tap everyone's phone when it has the legal authority to do so,
• The Clipper key escrow initiative, in which the Administration wants to be sure
that it can easily break the cryptography of American citizens when it has the
legal authority to do so,
• The Digital Signature Standard non-initiative, in which the government has re-
peatedly, for twelve years, failed to achieve a basic technological capabiUty that
is widely acknowledged as being essential to electronic commerce, and
• The continued imposition of controls on the export of cryptographic products in
spite of clear evidence of foreign availabihty of similar products and foreign gov-
ernments' failure to impose similar export controls, and in contrast to the mas-
sive relaxation of export controls in other areas of high technology.
AU of these activities, taken together, lead one to the ominous conclusion that the
Administration's goal is to severely restrict the average American's abiUty to protect
his or her sensitive information with the hope that in so doing, it will also restrict
such capabiUties of criminals, terrorists, and those opposed to the United States.
All of these initiatives are symptoms of the fundamental national dilemma we
face of finding a proper balance between:
48
• The rights of private individuals and organizations to protect their own sen-
sitive information and, in effect, our national economic interests and
• The needs of law enforcement and national security interests to be able to mon-
itor the communications of our adversaries.
Until we can strike a reasonable balance between these basic needs, this debate
will continue. Unfortunately, the Administration's position is focused solely on the
interests of law enforcement and national security to the exclusion of the rights of
private citizens and the nation's economic interests.
I believe that only the Congress can determine where a reasonable balance lies
between Americans' right to privacy and our national security interests.
We can no longer afford to have this determination being made exclusively by the
Executive Branch.
CLIPPER KEY ESCROW
I would like to begin by siunmarizing my concerns with the Administration's key
escrow initiatives.
Law enforcement and national security communications interceptions are vital
functions of a modem government. I support these functions and encourage their
continuation.
But the sky will not fall if we do not have Clipper key escrow or if cryptographic
export controls are relaxed to levels consistent with worldwide availability. Law en-
forcement as we know it will not end if a few wiretaps encounter encrypted commu-
nications. And the nation's ability to listen in to the communications of its adversar-
ies will not end if some of those intercepts encounter increased use of crj^jtography.
They had better not end, because both law enforcement wiretaps and national se-
curity intercepts are going to encounter ever-increasing amounts of encrypted com-
munications no matter what the Administration does or does not do.
We must understand and accept the growing availability of cryptography world-
wide as a basic fact of life. The ever-widening availability of cryptographic tech-
nology in the U.S. and overseas will make it harder day by day to monitor the com-
munications of our adversaries, no matter what measures the Administration may
attempt to take. There are no magic solutions to this issue, which originates in the
very same technological advances that we are all taking advantage of in our daily
lives.
We must also understand that those same technological advances are creating
greatly improved techniques for exhaustively checking the key space of cryp-
tographic algorithms such as DES and for factoring large prime numbers. A design
for a system that could exhaustively check the key space of DES in SVz hours was
described at a public conference on cryptography last Summer. A group at Bellcore
recently announced they had factored a 129 digit number, a new high.
The concept put forward by some in government that if we do not have key escrow
or if we allow export of DES products, all our intelligence operations will suddenly
fail, is false. On the contrary. Key escrow will never be more than a small side show
in the world of cryptography and DES cryptography will continue its rapid growth
worldwide whether the US allows its export or not. Our government will be much
better served by focusing on techniques to defeat known algorithms father than pro-
moting new techniques Qiat are highly unpopular in the US and abroad.
TECHNOLOGY SHIFTS THREATEN THE WIRETAP BALANCE
Since 1968, when the wiretap provisions of the Omnibus Crime Control and Safe
Streets Act went into effect, we seem as a nation to have found a constructive bal-
ance between the needs of law enforcement to intercept communications of sus-
pected criminals and the desire of the public for the perception of privacy in its com-
munications. The apparent successes tnat law enforcement has acnieved through le-
gally authorized wiretaps against organized crime, coupled with the difficulties cited
by law enforcement officials in obtaining them, and the steady rate of 800 or so per
year over the past decade all indicate that we probably have achieved about as good
a balance on this issue as we can ever get.
But now technological advances threaten to upset this balance. The ready avail-
ability of good quality cryptography in inexpensive phone devices threatens to make
it easy for those criminals who recognize that they may be tapped to protect them-
selves. The AT&T announcement in September 1992 of a relatively cheap Telephone
Security device (TSD) that uses the Data Encryption Standard (DES) cryptographic
algorithm to protect phone conversations apparently threw NSA and the FBI into
high gear to find an alternative.
49
And bring on clipper
What emerged from this was the CUpper initiative, the goal of which is to give
the American pubUc very good cryptography that could, if necessary, be readilv
decrypted by authorized law enforcement officials. A firestorm of protests then fol-
lowed from virtually all segments of the American public and many of our friends
overseas that government-imposed key escrow is not something that they want.
In the midst of the flood of protests over violations of civil liberties and infringe-
ments of Bill of Rights that key escrow will cause and complaints about the use of
a secret algorithm to protect unclassified information, several basic "laws" of the
marketplace seem to have been overlooked. The Administration has never presented
a "business plan" describing how Clipper will succeed in maintaining the abiUty of
law enforcement to wiretap the phones of criminals. The lack of a fundamental un-
derstanding of how things work in a competitive marketplace shows up conspicu-
ously throughout this story.
One of the first principles of business is to have your product ready for the market
when the market is ready for it. In January 1993, following their September 1992
announcement, AT&T began shipping TSDs with DES. But pressure from the gov-
ernment apparently convinced AT&T to endorse the as yet unannounced CUpper
program. So AT&T "loaned" the DES devices to their first customers with a promise
that something 'Taetter" would be available in "April." And sxire enough, on April
16, 1993, as the Administration announced CUpper, AT&T pledged its support.
Unfortunately, CUpper chips were not ready. So AT&T cooled its heels waiting for
something to seU. Finally, in August 1993, AT&T quietly introduced another TSD
that uses proprietary cryptographic algorithms, thus creating a major competitor for
CUpper.
In effect, we have come full circle. In September 1992, the initial AT&T announce-
ment was perceived by the government as a major threat to law enforcement. In
August 1993, while waiting for Clipper chips, AT&T introduced a similar product
that must represent a similar threat. AT&T is now selUng both CUpper and non-
CUpper TSDs in order to let the market decide which it wants.
What is the market for clipper?
In any business venture, it is important to understand the potential market for
a product and to determine if one's market penetration will be sufficient to achieve
one's goals.
For it to maintain law enforcement's abiUty to wiretap, the Clipper initiative must
achieve a reasonably high market penetration. The problem is that very few people
today wiU want to buy a telephone security device, even if it costs $50 instead of
over $1,000. Very few residential users wiU bother, and those who do wiU find few
people to talk to. Businesses wiU buy telephone security devices for their executives
to protect strategic business communications, but the vast bulk of routine business
communications will go unprotected.
Today there are estimated to be over 500 million phones in residential and busi-
ness use in the U.S. When asked how many TSDs AT&T expected to sell, one esti-
mate was at least as many as the popular STU-III secure phones for use with clas-
sified information. There are approximately 250,000 STU-IIIs instaUed today.
Numbers Uke these represent a very reasonable business case for AT&T, but will
they allow the Clipper program to achieve its goal of solving the law enforcement
wiretap problem?
If the above estimates are correct, in a few years roughly five one-hundredths of
one percent (0.05%) of America's phones wiU be protected by TSDs (250,000/
500,000,000). Of course many of these will use the proprietary algorithm rather
than CUpper. But we wiU optimisticaUy assume that this percentage represents the
situation with CUpper TSDs in five years.
Now if one analyzes the average number of court-authorized wiretaps over the
past fifteen years, one can reasonably conclude that 1,000 such wiretaps per year
would be a reasonable projection for the near future. One could further assume that
each court-ordered wiretap results in as many as five actual phone taps. This leads
to an estimate of 5,000 physical wiretaps per year. A typical cost for a wiretap oper-
ation not involving cryptography has been estimated at $50,000 to $60,000.
In the Administration's proposed key escrow plan, there wiU be two key escrow
centers, one at NIST and one at Treasury, that, when fully operational, wiU be
available 24 hours a day, seven days a week, year round. These wiU each require
a staff of at least ten people at a labor cost of $ 1.5M per year. The non-labor costs
of each center wiU be another $ 1.5M leading to a total annual cost for both centers
of$6.0M.
No estimate exists for how much it has cost to develop and promote the Clipper
initiative. In a business analysis, it would be important to amortize these costs over
50
the expected value of the "product," but for now all we have to use is the estimated
cost of operating the centers.
If Clipper TSDs represent 0.05% of the phones in America and there are 5,000
taps per year, then law enforcement officials can reasonably expect to encounter on
average 2.5 Clipper key-escrowed phone taps per year, or one every 145 days. If the
cost of the key escrow center operations is amortized over 2.5 calls per year, each
key-escrowed wiretap will cost $2.45M ($50 K for wiretap and 2.4M for escrow cen-
ter expenses). At $1,000 per TSD, 250,000 will cost the consumer $250M.
But suppose the STU-III equivalent estimate is far too conservative for sales of
TSDs. If sales are 2.5 million devices (0.5% of all phones), this will lead to intercep-
tion of approximately 25 key-escrowed phone calls per year, about one every fifteen
days. If the key escrow centers' costs are amortized over 25 calls per year, each key-
escrowed wiretap will cost $290,000 ($50 K for wiretap and $240K for escrow center
expenses). If TSD prices fall in an expanded market to $500 per TSD, 2.5M devices
will cost the consumer $1.25B.
If the demand for TSDs is truly enormous, reaching 5% of all phones in the U.S.,
one could expect about one key-escrowed wiretap every day and a half. In this case,
the cost of a key-escrowed wiretap will rise to $74,000 ($50 K for wiretap and
$24,000 for escrow center expenses). Only in this last case does any form of cost
benefit tradeoff for the cost of a wiretap make sense. Even if prices were to fall to
$100 per TSD, 25M will cost the consumer $2.5B.
Number of Clipper
250,000
2,500,000
25,000,000
Telephone Security
Devices:
Percent of U.S. phones:
00.05%
00.5%
5%
Number of Key Escrow
2.5
25
250
taps/yr:
One call to key escrow
145 days
15 days
1.5 days
center every:
Cost per escrowed key
$2.4M
$240,000
$24,000
call:
This scenario assumes that the population of phones likely to be tapped is roughly
the same as that of the general popiilation. Unfortunately, this is unlikely to be true
since, on one hand, the average criminal who doesn't realize he is Ukely to be tapped
is unlikely to bother with any form of TSDs and so can be wiretapped using conven-
tional means and, on the other hand, the "sophisticated" criminal, who understands
what he may be up against, will almost certainly buy non-key escrowed TSDs.
Under these circvimstances, 2.5 key-escrowed calls per year is probably very optimis-
tic.
Now there are those who say. If only one of those calls is a World Trade Center
bomb plot, it will all be worth it!" But the World Trade Center bombers went back
for a deposit on the rental truck they blew up. If they are the types we are up
against, they will not have enough sense to use a TSD. And as pointed out above,
the sophisticated criminal will surely know enough to not buy a key-escrowed TSD.
A contradictory story has also been put forth that claims that the Administration
never intended to catch criminals using key escrow. In this version, the intent was
to introduce cryptographic capabilities that are substantially better than what is
available now and to include key escrow to deny their use to criminals. If this is
the "real" reason for Clipper, then the Administration must understand that they
wll never get any wiretap calls for key escrow. If so, one must anticipate that the
extensive protections now being planned for the escrowed keys will diminish over
time from disuse. If this happens, all those who bought the "stronger" encryption
capability will then become viilnerable to trivial decryption.
The Administration has stated that its plan is to buy enough TSDs to flood the
market, thus making them so cheap that everyone will buy them. Their plan for
"flooding" the market is to buy 9,000 devices using funds confiscated from criminals.
Such a purchase wiU have little effect either in achieving the installed base nec-
essary for key escrow to work properly or in reducing the price to a level where the
devices are pervasive.
Even if every factor in this analysis is slanted in favor of Clipper, it is difficult
to see how this program is going to help law enforcement maintain its ability to
wiretap criminals. Clipper is an expensive program for both the government and the
consimier that shows little if any promise of achieving its goal.
51
International aspects of key escrow
The Administration has stated that Clipper systems with key escrow will be ex-
portable. The question remaining to be answered is will anyone outside the U.S. be
interested. In July 1992, NSA agreed that certain encryption algorithms that were
limited to 40-bit key lengths could be exportable. But 40-bit key lengths are so weak
that no one inside or outside the U.S. would want them. It is clear that foreign gov-
ernments may want key escrow systems to allow them to monitor communications,
but their citizens will generally share the concerns of most Americans.
It may be possible for governments to work out bilateral agreements to share
escrowed keys (though little progress has been reported to date), but this will do
nothing for \he growing need of multinational companies to communicate with oth-
ers across international boundaries. The international aspects of key escrow remain
a thorny problem, which will defy solution for a long time.
The capstone tessera program
Apparently when AT&T announced its DES TSD in late 1992, NSA had already
been working on a program called Capstone which was to provide good quality cryp-
tography and key escrow for computer communications. Applying these techniques
to telephones required only a stripped down Capstone, which came to be called Clip-
per.
Capstone is a key ingredient in a program to provide information security for the
Defense Message System and other programs within the Department of Defense. It
is also being pushed for a wide variety of other programs within the government
including the IRS, Social Security, and even Congressional systems.
Provimng good cryptographic protection in a computer communications environ-
ment is much more difficult than in a telephone context. The ease with which a user
can manipulate his or her text either before passing it to the Capstone process or
after it has been encrypted makes it very difficult to ensure the effectiveness of the
result. Also, the technologies involved in the present implementations of the Skip-
jack algorithm, while sufficient for telephone and low speed computer communica-
tions, will not easily scale to meet the needs of high speed computer communica-
tions.
Because it uses a secret algorithm, Capstone and the oroducts that use it will onlv
be available in hardware implementations such as the NSA Tessera PCMCIA card.
It has been suggested that if the interfaces that Tessera uses could be genereilized
so that other cryptographic algorithms could be implemented in compatible pack-
ages, the Tessera program could have a much greater market penetration.
The Government has stated that Tessera will be exportable. If such common cryp-
tographic interfaces existed, mass market software vendors who support Tessera
covild integrate cryptographic functions into their applications without concern for
export controls on their products and vendors withan individual countries could
build Tessera equivalent PCMCIA cards using alternative cryptographic algorithms.
Such a development would provide a fundamental increase in the market for cryp-
tographic products and thus increase the chances for market penetration of products
such as Tessera. At this time, it is unclear whether NSA will choose to generalize
the Tessera interfaces to allow cards with other algorithms to coexist.
Strengths of clipper
I am convinced that Skipjack, the cryptographic algorithm in Clipper, is a very
good algorithm. I also believe that procedures can be developed for protecting
escrowed keys that will provide reasonable assurance that the keys will not be com-
promised under normal circumstances. I have known many of the people at NIST
and NSA who have worked on this program for many years. I believe they are hon-
est, well-intentioned people who are doing the best job they can to protect the inter-
ests of the law enforcement and national security communities.
My concerns are not with the strengths of this program or the integrity of the
people who have put it together but with whether there is any practical chance that
it will achieve its goals and whether the American people are ready for key escrow.
What should Congress do?
For any form of key escrow system to work, it must have the confidence of the
American people. The Administration claims that it does not need legislation to im-
pose key escrow, that it is operating entirely within the provisions of the wiretap
statutes. This may be legally correct, but we should take lessons from the past on
how to convince people to accept ideas that do not immediately seem to be in their
best interests.
At least once before in modem times, the government was faced with convincing
the American public to allow something that did not seem in the best interests of
52
the average citizen, that is, to allow the government to wiretap phones. But in 1968,
Congress passed and the President signed a law that established a balance on the
wiretap issue that appears reasonable to most of us.
If key escrow is the vital answer to encrypted wiretaps as the Administration
claims, we should follow the same process we md for authorizing wiretaps:
(1) Congressional debate,
(2) Passage of legislation,
(3) Presidential signature, and
(4) Judicial review.
This full process is necessary before the American people will accept key escrow.
The only excuse for not doing this seems to be that the process will take too long.
But the reaction to date incScates that by not taking the time for the legislative
process, the Clipper program will be little more than a program the government im-
poses on itself.
I strongly recommend that the Administration propose legislation that would give
key escrow the same legal standing as court-ordered wiretaps. If the Administration
does not take this action soon, I believe the Congress should act on its owti to review
this concept and determine if key-escrowed communications should be imposed on
the American people.
THE DIGITAL SIGNATURE NON-INITIATIVE
Key escrow is not the only instance in which the Administration has focused al-
most exclusively on the law enforcement and national security side of an important
issue. In almost total contrast to the haste with which the Clipper initiative has pro-
ceeded, the government's efforts over the past decade to establish a digital signature
standard, an essential tool in any form of electronic commerce, have failed miser-
ably. The background of this incredible failiu"e should be very embarrassing to some-
one, but it appears there are so many participants that no one needs to take the
blame.
According to a recent GAO report, this odyssey began in the early 1980s when
the National Bureau of Standards (NBS, now NIST) sought a public key encryption
standard to complement the DES. No progress was made even though nearly every-
one acknowledged the essential need for such a capability and that the technology
necessary for it already existed in the RSA public key encryption algorithm among
others.
In the 1988 hearings on the progress of the Computer Security Act, the Directors
of NSA and NBS were pressvu"ed to get on with establishing a public key encryption
standard. In the recently released, highly censored proceedings of the joint NSA-
NBS Technical Working Group, the tortuous deliberations toward a DSS are evi-
dent. Despite the ready availability of technology such as RSA, which could have
provided a DSS as early as 1982, the government persisted in seeking an alternative
with limited capabilities.
In the House Subcommittee on Science hearing on Internet Security, March 22,
1994, Mr. Lynn McNulty, Associate Director of the NIST National Computer Sys-
tems Laboratory, testified that:
* * * our strategy ♦ * * was to develop encryption technologies that did
not do damage to the national security or law enforcement capabilities of
this country. And our objective in developing the digital signature standard
was to come out with a technology that did signatures and nothing else
very well. It could not be used for either encrjrption or to provide key man-
agement or key distribution techniques for other symmetric encryption
technologies.
With these constraints, the government placed itself in a very difficult situation
that it has proceeded to make very much worse with time.
In August 1991, after considering at least four alternatives, NIST finally an-
nounced with much fanfare the selection of the Digital Signature Algorithm (DSA)
for the DSS. NIST stated that this algorithm, patented by an NSA employee, would
be royalty-free to all parties, an attractive offer since the use of RSA or other public
key alternatives would require royalty pasonents to RSA Data Security, Inc., or Pub-
Uc Key Partners (PKP). A royalty-free signature algorithm was sufficiently attrac-
tive that many felt DSA could succeed against the already popular RSA algorithm.
The initial public comment period on the DSS selection brought mostly technical
comments on the algorithm itself. Following this there was a long silent period dur-
ing which NIST's only comment was that the lawyers were working on patent is-
53
sues. It seems there was a German, Professor Doctor C.P. Schnorr, who had a U.S.
patent that he claimed was infringed upon by the DSA. NIST visited Professor Doc-
tor Schnorr seeking to work out the patent issues. Apparently PKP did also, because
in early 1993, PKP told the government that they now had the rights to Professor
Doctor Schnorr's patent and that use of DSA by the government would infringe
upon their patent rights.
In order to resolve this problem, NIST announced in June 1993 that they in-
tended to give PKP an exclusive license to the DSA. The U.S. Government would
have free use of DSA, but everyone else, including foreign governments, would have
to pay royalties to PKP. This situation was very different from the August 1991 pro-
posal. Now the only advantage of DSA over its well-established rival RSA was gone.
The government wanted DSA because it could not be easily used for functions other
than digital signature. But the public and other governments could no longer per-
ceive any advantage to DSA.
The public comments, including several from foreign governments, on this NIST
licensing proposal were overwhelmingly negative. Again the government's lack of
any sense of the impact of this on the marketplace was apparent. Another long pe-
riod of silence by the government extended from late summer 1993 until early 1994.
Then on February 4, 1994, as part of the Clipper approval announcement, NIST
stated that the exclusive licensing of DSA to PKP would not take place, and it was
the government's intention that the DSA would be available to anyone free of royal-
ties. When asked what the government would do now to make this possible, the re-
sponse was they would either (1) continue trying to negotiate a desd with PKP, (2)
take the process to courts to prove that DSA did not infringe upon PKP's patents,
or (3) develop a new algorithm. There was, of course, no timetable for resolving
these alternatives.
So now we are no better off than we were in mid-1991 or perhaps even 1982. But
today there are major commerciad activities that are using RSA as the basis for digi-
tal signatures and there are major government programs, such as the IRS mod-
ernization effort, that must have a digital signature capability to succeed. NISTs
present advice to government programs in need of a digital signature capability is
to do whatever they want.
Recalling Mr. McNulty's testimony from above, we have another example of the
government's insistence that law enforcement and national security interests totally
dominate those of the public and civilian government. The result is that a capability
that could have been available as a government standard in 1982 and is now a
defacto commercial world standard has been held back for twelve years, and there
remains no real prospect for when this issue will be resolved.
What should Congress do?
Unfortunately, in this case it is difficult to suggest what the Congress can do.
It would be unusual but not out of the realm of possibilities for the Congress to
mandate the use of an existing industry standard for digital signatures for all gov-
ernment programs involving electronic commerce. The cleeir failure of the Executive
Branch to find a suitable alternative after twelve years of searching and the urgent
needs of government and commercial interests to have a readily available means for
signing electronic documents would justify such a step by the CTongress.
EXPORT CONTROL OF CRYPTOGRAPHY
And there are other examples of how the government's dominant concern for na-
tional security and law enforcement capabilities has driven the U.S. down paths
that harm our national economic interests.
Since the publication of the DES as a U.S. Federal Information Processing Stand-
ard (FIPS) in 1977, cryptography has shifted from the exclusive domain of govern-
ments to that of individuals and businesses. DES in both hardware and software
implementations is a defacto international standard against which all other cryp-
tographic algorithms are measured.
The controversy that arose as soon as DES was published concerning whether it
had weaknesses that intelligence organizations could exploit fostered the highly
fruitful academic research into public key cryptography in the late 1970s. Public key
algorithms have the major advantage that the sender does not need to have estab-
lished a previous secret key with the recipient for communications to begin. Public
key algorithms, such as RSA, have become as populair and widely used as DES
throughout the world for integrity, confidentiality, and key management.
Software publishers association study
The Administration has asserted that export controls are not harming U.S. eco-
nomic interests because there are no foreign cryptographic products and programs
54
commercially available. Implementations of DES, RSA, and newer algorithms, such
as the International Data Encryption Algorithm (IDEA), are available routinely on
the Internet from sites all over the world. But according to the Administration,
these do not count as commercial products.
In order to understand just how widespread cryptography is in ths world, in May
of 1993, the Software Publishers Association (SPA) commissioned a study of prod-
ucts employing crpytography within and outside the U.S. There was a significant
amount of knowledge about specific products here and there, but no one had ever
tried to assemble a comprehensive database with, where possible, verification of
product availability. I reported the results of this survey in hearings before the Sub-
committee on Economic Policy, Trade and Environment, Committee on Foreign Af-
fairs, U.S. House of Representatives last October.
Information on new products continues to flow in daily. As of today:
• We have identified 340 foreign hardware, software, and combination products
for text, file, and data encryption from 22 foreign countries: Argentina, Aus-
tralia, Belgium, Canada, Denmark, Finland, France, Germany, Hong Kong,
India, Ireland, Israel, Japan, the Netherlands, New ZeaJand, Norway, Russia,
South Africa, Spain, Sweden, Switzerland, and the United Kingdom.
• Of these, 155 employ DES either in hardware of software.
• We have confirmed the availability of 70 foreign encrjrption software programs
and kits that employ the DES algorithm. These are puolished by companies in
Australia, Belgium, Canada, Denmark, Finland, Germany, Israel, the Nether-
lands, Russia, Sweden, Switzerland, and the United Kingdom.
• Some of these companies have distributors throughout the world, including in
the U.S. One German company has distributors in 14 countries. One U.K com-
pany has distributors in at least 13 countries.
• The programs for these DES software products are installed by the users insert-
ing a floppy diskette; the kits enable encryption capabilities to be easily pro-
grammed into a variety of applications.
A complete listing of all confirmed products in the database is identified in At-
tachment 1.
As part of this survey, we have ordered and taken delivery on products containing
DES software from the following countries: Australia, Denmark, Finland, Germany,
Israel, Russia, and the United Kingdom.
Foreign customers increasingly recognize and are responding to the need to pro-
vide software-only encryption solutions. Although the foreign encryption market is
still heavily weighted towards encr3rption hardware and hardware/soitware combina-
tions, the market trend is towards software for reasons of cost, convenience, and
space.
• On the domestic front, we have identified 423 products, of which 245 employ
DES. Thus, at least 245 products are unable to be exported, except in very lim-
ited circumstances, to compete with the many available foreign products.
• In total, we have identified to date 763 crj^jtographic products, developed or dis-
tributed by a total of 366 companies (211 foreign, 155 domestic) in at least 33
countries.
DES is also widely available on the Internet, and the recently popularized Pretty
Ciood Privacy encryption software program, which implements the IDEA encryption
algorithm, also is widely available throughout the world.
The ineffectiveness of export controls is also evident in their inability to stop the
spread of technology through piracy. The software industry has a multibillion dollar
worldwide problem with software piracy. Mass market software is easy to duplicate
and easy to ship via modem, suitcase, laptop, etc. Accordingly, domestic software
products with encryption are easily available for export — through illegal but perva-
sive software piracy — to anyone who desires them.
Foreign customers who need data security now turn to foreign rather than U.S.
sources to fulfill that need. As a result, the U.S. Government is succeeding only in
crippling a vital American industry's exporting ability.
Frequently heard arguments
There are a series of arguments frequently heard to justify continued export con-
trol of cryptographic products.
The first argument is that such products are not available outside the U.S., so
U.S. software and hardware developers are not hurt by export controls.
The statistics from the SPA survey prove that this argument is false!
55
A second argument is that even if products are available, they cannot be pur-
chased worldwide.
Our experience with purchasing products indicates that this also is not true.
We have found 462 companies in 33 foreign countries and the U.S. that are
manufacturing, marketing, and/or distributing cryptographic products, most on
a worldwide basis. The names of these companies are listed in Attachment 2.
All the products we ordered were shipped to us in the U.S. within a few days.
The German products were sent to us directly from their U.S. distributors in
Virginia and Connecticut, respectively. Our experience has been that if there is
paperwork required by the governments in which these companies operate to
approve cryptographic exports, it is minimal and results in essentially mime-
diate approval for shipping to friendly countries.
A third argument frequently heard is that the products sold in other parts of the
world are inferior to those available in the U.S.
We have purchased products from several sources throughout the world. We or-
dered DES-based PC file encryption programs for shipment using routine channels
from:
• Algorithmic Research Limited (ARL), Israel
• Sophos Ltd., UK
• Cryptomathic A/S, Denmark
• CEInfosys GmbH, Germany
• uti-maco, Germany
• Elias Ltd., Russia (distributed through EngRus Software International, UK)
The products we obtained from these manufactiu-ers and distributors were in
every case first-rate implementations of DES. To better understand if foreign prod-
ucts are somehow inferior, we have examined several of these products to see if we
can detect flaws or inherent weaknesses.
What we have found in our limited examination is that while these products gen-
erally use fully compliant DES implementations, they sometimes do not make use
of all the facilities that might be available to them. The result is a full-strength DES
product that is fully adequate for protecting commercial sensitive information but
would not meet the strict requirements of a full national security product review.
Two examples of facilities that these products do not fully utilize are:
• Initialization Vector (IV) (data added to the beginning of text to be encrypted
to ensure synchronization with the decryption process). Frequently, these sim-
ple file encryption products use the same IV everytime. A product designed for
protecting national security information would vary the IV each time.
• Key Generation: Frequently, these products use an encryption key derived from
a string of text that is typed in by the user. Users mav tend to use the same
simple alphanumeric text strings to encrypt multiple files. A product designed
for protecting national security information would generate a truly random
encrjrption key, usually with each use.
It is important to note that there appears to be no difference between foreign and
U.S. commercial products in the use of these simplifications.
A fourth frequently heard argument is that many countries have import restric-
tions that would prevent U.S. exports even if the U.S. relaxed its export controls.
While our surveys has focused on the ease of importing products into the U.S.,
we have noted that many of the companies in our survey have distributors through-
out the world. There may be countries that restrict imports of cryptography just as
there may be those that restrict internal use of cryptography. But we are unaware
of any countries in this category.
Other countries have relaxed export controls
Our survey results also point to a much more ominous finding! Apparently the
controls imposed by the U.S. Government on export of cryptographic products from
the U.S. are far more restrictive than those imposed by most other countries, includ-
ing our major allies. The effect of this most unfortunate situation is to cripple U.S.
industry while our friends overseas appear to be free to export as they wish.
The U.S. imposes very strict rules on the export of cryptographic products. In gen-
eral, applications for the export of products that use DES will be denied even to
friendly countries unless they are for financial uses or for U.S. subsidiaries. We
have been told repeatedly by the U.S. Government that other countries such as the
United Kingdom and Germany have the same export restrictions that the U.S. does.
56
But our experiences with the actual purchases of cryptographic products show a
very different picture.
We know that companies in Australia, Denmark, Germany, Israel, South Africa,
Sweden, Switzerland, and the United Kingdom are freely shipping DES products to
the U.S. and presumably elsewhere in the world with no more then a lew days of
government export control delay, if any. Sometimes the claim is that they have to
fill out some papers," but it's no big problem. In Australia, we are told, the export-
ing company must get a certificate mat the destination country does not repress its
citizens. Many countries allow shipment so long as it is not to former CoCom re-
stricted countries (the former Soviet block and countries that support terrorism).
Our experience with these purchases has demonstrated conclusively that U.S.
business is at a severe disadvantage in attempting to sell products to the world
market. If our competitors overseas can routinely snip to most places in the world
within days and we must go though time-consuming and onerous procedures with
the most likely outcome being denial of the export request, we might as well not
even try. And that is exactly what many U.S. companies have decided.
And please be certain to understand that we are not talking about a few isolated
products involving encrjT)tion. More and more we are talking about major informa-
tion processing applications like word processors, databases, electronic mail pack-
ages, and integrated software systems that must use cryptography to provide even
the most basic level of security being demanded by multinational companies.
Demonstrations of available cryptograph ic products
We have before us today several examples of cryptographic products that were
lawfully obtained in the United States from foreign vendors:
• AR DISKrete: produced by Algorithmic Research Limited (ARL), Israel. Uses
DES disk/file encryption to provide PC security and access control.
• EDS: produced by Sophos Ltd., UK. DES-based PC file encryption package.
• F2F (File-to-File): produced by Cryptomathic A/S, Denmark. DES-based PC file
encryption utility.
• Soflcrypt: produced by CElnfosys GmbH, Germany. DES-based PC file
encryption utility.
• SAFE-GUARD Easy: produced by uti-maco, Germany. DES-based PC file
encryption utility.
• EXCELLENCE for DOS: produced by EUas Ltd., Russia; distributed through
EngRus Software International, UK. GOST-based (Russian DES equivalent) PC
file encryption utility.
In addition to these products, we have the complete set of notebooks of product
literature we have gathered to confirm the information in our worldwide survey of
cryptographic products.
We also have a demonstration of the power of the digital revolution and the im-
pact it will have on all our communications in the future. Traditionally, when we
think of voice communications, we think of the telephone in its many forms (desk,
cordless, cellular, car). However, many modem computer workstations now have the
ability to carry voice as well as other multimedia communications. Routinely today
on the Internet, voice conferences are held over packet switched communications
networks.
Today we have a demonstration using two off-the-shelf Apple Macintosh
PowerBooks that come with both speakers and microphones that enable software
programs such as Talker from 2 Way Computing, Inc., of San Diego, CA, to trans-
form a laptop computer into a telephone.
With this laptop computer telephone, it is easy to protect phone conversations
from eavesdroppers. Since all the telephone functions are performed in software, it
is trivial to add an encryption algorithm, such as the DES, to the software and pro-
vide good quality encryption to the digitized speech.
Export control of information in the public domain
The U.S. International Trade in Arms Regulations (ITAR) govern what products
can and cannot be subjected to export controls. These regulations clearly define a
set of conditions in which information considered to be in the "pubUc domain" can
not be subject to controls. In the ITAR itself; public domain is defined as informa-
tion that is published and that is generally accessible or available to the public:
• Through sales at bookstores,
• At libraries,
• Through patents available at the patent office, and
57
• Through public release in any form after approval by the cognizant U.S. Gov-
ernment department or agency.
The Data Encryption Standard has been openly published as a Federal Informa-
tion Processing Standard by the U.S. Government since 1977. Implementations of
it in hardware and software are routinely available in the U.S. and throughout the
world. Publication of software programs containing DES in paper form are per-
mitted because of the First Amendment in the Bill of Rights. But the export of DES
as hardware or software remains subject to export control despite its clearly being
in the pubUc domain.
One frustrating and somewhat humorous result of this situation occurred recently
when NIST published a FIPS that contained source code for DES. In paper form,
the Automated Password Generation Standard, FIPS 181, is acceptable for world-
wide dissemination. But when NIST made the FIPS available over the Internet
without an export restriction notice, it was immediately copied by computers in Den-
mark, the UK, and Taiwan. When it was pointed out that NISTs actions were in
apparent violation of the ITARs, they quickly moved the file to a new directory with
an appropriate export prohibition notice. Now FIPS 181 is available from hosts
throiighout the world along with the notice that export from the U.S. is in violation
of U.S. export control laws.
NIST "exported" source code for DES with apparent immunity. Phil Zimmerman
is still being investigated by the U.S. government and facing a four year imprison-
ment for aUedgedly doing nothing more.
Unfortunately, U.S. companies are not allowed to treat the export of DES in quite
so simple a manner. As discussed earlier, DES is routinely available anywhere in
the world. It meets the definition of "in the public domain" on numerous levels. And
yet U.S. companies are prevented from exporting it other than to Canada. This situ-
ation is yet another example of the inconsistencies of U.S. export control policies.
Industrywide experiences
Some companies do try to compete and offer excellent DES-based products in the
U.S. But because of the export restrictions, they must develop weaker versions for
export if they wish to pursue foreign markets. Many companies forgo the business
rather than spend extra money to develop another inferior product that cannot com-
pete with products widely available in the market.
The government already has a measure of lost sales and dissatisfied customers
in the number of State Department/NSA export license apphcations denied, modi-
fied, or withdrawn. However, it is impossible to estimate accurately the full extent
of lost sales. Many potential customers know that U.S. companies cannot meet their
demand and thus no longer require. Conversely, most major companies have given
up even trying to get export approvals for DES to meet customer demand.
One U.S. company. Semaphore Communications Corporation, that makes products
using DES encryption has provided the following comments on their recent experi-
ences (quoted from a letter dated 4/20/94 to Stephen T. Walker from WiUiam Fer-
guson of Semaphore):
As a small company with limited resources, we have chosen to get an as-
sessment directly from the NSA prior to investing too many resources in
pursuing the situations, as the NSA Export Office is the ultimate authority
on whetner any export license will be granted; or the U.S. companies with
familiarity of the export regulations have advised us of their position before
we invested too many resources.
The recent short-list of opportunities include:
1. NATO: order placed by SHAPE Technical Centre in 11/93 as precursor of NATO-
wide security plan; ore-order query to State Dept. gave verbal approval as ship-
ment was to an AP(J address: on submitting license application, NSA denied per-
mission to ship. NATO officials are currently trying to get permission from NSA,
but have thus far been denied.
2. Hong Kong Immigration Department: project to secure network communications
for all department sites with fully redundant scheme: sought ruUng before bidding
in partnership with AT&T; demed 4/93. All competitors bid Racal; as a British
company they had no restrictions.
3. Norway Telecom: planning secure network for government and financial users
using single solution: sought ruling before bidding; told use sounded too general
and export office would have difficulty approving. 10/93.
4. Dutch National Police computer network: application to secure entire national
data network: advised would not be granted permission when seeking pre-bid nil-
58
ing, 11/93. Attempted to have our application viewed in same context as open li-
cense granted to DEC and IBM for similar equipment, but advised would need
letters from all Dutch government agency department head? for any consider-
ation. This effort would have reauired more than three months of effort by com-
pany executive located in Holland. Deemed too expensive for only one project.
5. Michelin: seeking solution to secure global network including all US-based, ex-
Firestone facilities: when advised of export restrictions, Michelin rejected US-
based technology to seek other solution; 4/93.
6. Volkswagen: in planning of security strategy for global networks; solicited bid:
rejected US-based technology when informed of export regulations, 2/93.
7. Boeing: one of largest global users of secure communications: advised Boeing
didn't want to have to deal with export regulations for meeting needs: continues
to buy Racal products to avoid U.S. regulations. Continue to try to sell, but have
met with resistance for procurements 10/92. 4/93, 11/93. Volume would be very
high as Boeing took delivery of 800 routers in 1993, and our equipment would
have 1:1 relationship. Boeing now in another review cycle.
8. GE: has major program in planning to secure global networks: diverse ownership
in many locations has GE seeking foreign solutions for global uniformity.
9. Swiss National Justice and Police Department: project to connect all police and
court locations in country: advised by NSA that approval would be hard to justify
based on fact that it was Switzerland, 4/94.
10. Thomsen CSF: seeking technology partner for next generation of Thomsen prod-
ucts: sought out Semaphore as Thomsen technology group finds our technology to
be far ahead of any other global options, and wanted to have fast time-to-market:
NSA suggested we discontinue further discussions, 4/94.
1 I.Sikorsky: advised permission would not be granted for equipment at foreign
joint-venture partners for new commercial helicopter venture, 3/94. Revisited with
another NSA export official in 4/94, and advised that license might be granted if
use was to principal benefit of a USA company. No firm commitment until license
application is submitted as one location is in Japan.
12. Glaxo Pharmaceutical; world's largest pharmaceutical company has global re-
quirement to secure testing and development data: will seek other solutions as
Semaphore cannot deliver to other global locations, 2/94.
13. Pillsbury: has strategy to secure global networks: as owned by UK-based Grand
Metropolitan, will seek other solutions which can be shipped to all global loca-
tions, 11793.
The total value for all of these opportunities are estimated to be in the range of
$30 to $50 million based on the preliminary estimates of the projects.
You have Semaphore's permission to submit this information with your testimony
before the Congress.
Gauging the extent of economic harm industrywide is what is an inherently dif-
ficult task because most companies do not want to reveal that sort of information.
Consequently what exists, with the exception of statements hke that from Sema-
phore, is mostly anecdotal information. But the accumulation of anecdotal informa-
tion collected by the SPA paints a picture of three ways in which tiie export controls
on cryptographic products are hurting American high-tech industry.
(1) Loss of business directly related to cryptographic products: First, for many
data security companies, every sale is vital, and the loss of contracts smaller than
$1 million can often mean the difference between life and death for these companies.
The confusion and uncertainty associated with export controls on encryption gen-
erate severe problems for small firms, but not as severe as the loss of business they
suffer from anti-competitive export controls. Examples abound:
• One U.S. company reported loss of revenues equal to a third of its current total
revenues because export controls on DES-based encryption closed off a market
when its customer, a foreign government, privatized the function for which the
encrjnption was used, and the U.S. company was not permitted to sell to the pri-
vate foreign firm. The company estimates it loses millions of dollars a year be-
cause it receives substantial orders every month from various European cus-
tomers but cannot fill them because of export controls.
• One small firm could not sell to a European company because that company
sold to clients other than financial institutions (for which export controls grant
an exception). Later, the software firm received reports of sales of pirated copies
of its software. This constituted the loss of a $400,000 contract for the small
U.S. software firm.
59
• Because of existing export restrictions, an American company recently found it-
self unable to export a mass market software program that provided encryption
using Canadian technology based on a Japanese algorithm. Yet other European
and Japanese companies are selling competing products worldwide using the
same Canadian technology.
• An SPA member's product manager in Europe reported the likely loss of at least
50% of its business among European financial institutions, defense industries,
telecommunications companies, and government agencies if present restrictions
on key size are not lifted.
• Yet another SPA member company reported the potential loss of a substantial
portion of its international business if it cannot commit to provide DES in its
programs.
• A German firm that opened a subsidiary in the U.S. sought a single source
encryption software product for both its German and U.S. sites. A U.S. data se-
curity firm that bid for the contract lost the business because U.S. export con-
trols required that the German firm would have to wait approximately six
months while a license was processed to sell them software with encryption for
foreign appUcation. The license could only be for one to three years, the three
year license being more expensive. Consequently, the German firm ended up
purchasing a DES-based system from another Cferman company, and the U.S.
firm lost the business.
• A foreign government selected one soft;ware company's data security product as
that government's security standard. The company's application to export the
DES version was denied, and as a consequence the order was lost. This cost the
company a $400,000 order and untold millions in future business.
(2) Loss of business from U.S. companies with international concerns: Second,
multinational corporations (MNCs) are a prime source of business in the expanding
international market for encryption products. Many U.S. -based firms have foreign
subsidiaries or operations that do not meet export requirements. While U.S. prod-
ucts may be competitive in the U.S., many MNCs obtain from foreign sources
encryption systems that will be compatible with the company's worldwide oper-
ations. Moreover, foreign MNCs cannot rely on the availability of U.S. products and
have been known to import foreign cryptography for use in their U.S. operations.
• One U.S. firm reports the loss of business from foreign MNCs that will not inte-
grate the company's products into their U.S. operations because of the export
restrictions that would prevent them from being compatible with their domestic
operations.
• The Computer Business Equipment Manufacturers Association reports that one
of its members was denied an export license and lost a $60 million sale of net-
work controllers and software for encryption of financial transactions when the
Western European customer could not ensure that encryption would be limited
to financial transactions.
(3) Loss of business where cryptography is part of a system: Third, encryption sys-
tems are frequently sold as a component of a larger system. These "leveraged" sales
offer encryption as a vital component of a broad system. Yet the encryption feature
is the primary feature for determining exportability. Because of the export restric-
tions, U.S. firms are losing the business not just for the encryption product but for
the entire system because of the restrictions on one component of it.
• One data security firm has estimated that export restrictions constrain its mar-
ket opportunities by two-thirds. Despite its superior system, it has been unable
to respond to requests fi*om NATO, the Swedish PTT, and British telecommuni-
cations companies because it cannot export the encryption they demand. This
has cost the company millions in foregone business.
• One major computer company lost two sales in Western Europe within the last
12 months totaling approximately $80 million because the file and data
encrjT)tion in the integrated system was not exportable.
One possible solution to the problem of export controls may be for U.S. companies
to relocate overseas. Some U.S. firms have considered moving their operations over-
seas and developing their technology there to avoid U.S. export restrictions. Thus,
when a U.S. company with technology that is clearly in demand is kept from export-
ing that technology, it may be forced to export jobs instead.
60
How are U.S. citizens and businesses being affected by all this?
The answer to this question is painfully simple. When U.S. industry forgoes the
opportunity to produce products that integrate good security practices, such as crjrp-
tography, into their products because they cannot export those products to their
overseas markets, U.S. users (individuals, companies, and government agencies) are
denied access to the basic tools they need to protect their own sensitive information.
The U.S. Government does not have the authority to regulate the use of cryptog-
raphy within this country. But if through strict control of exports they can deter
industry from building products that effectively employ cryptography, then they
have achieved a very effective form of internal use control. You and I do not have
good cryptography available to us in the word processors and data base manage-
ment and spreadsheet systems even though there is no law against our use of cryp-
tography. If we want to encrjrpt our sensitive information, we must search out spe-
cial products that usually must be used separately from oiu" main workstation appli-
cations. This is a very effective form of internal use control, and it makes all levels
of U.S. industry vulnerable to foreign and domestic industrial espionage.
And Clipper, as presently being implemented, does nothing to help this problem.
What should Congress do?
In this case, Congress is already doing something! Last November, Representative
Maria Cantwell introduced HR 3627, a bill that would shift export control of mass
market software products including those with cryptography, for the Department of
State to the Department of Commerce, thus allowing them to be treated as normal
commodities instead of munitions. This bill should be considered as part of Chair-
man Gejdenson's overall bill to reform export controls. In the Senate, the Murray-
Bennett initiative, S 1846, to reform export controls has a similar objective.
Legislation such as HR 3627 and S 1846 must be passed as soon as possible to
balance the national economic interests against those of law enforcement and na-
tional security.
SUMMARY
On clipper key escrow
In addition to all the concerns about civil liberties and the use of classified cryp-
tography to protect unclassified information, there are very real concerns about
whether Clipper will really help law enforcement deal with the emergence of
encrypted phone and data traffic. The Administration needs to come forth with some
form of business plan for how it expects this program to succeed in the marketplace.
The imposition of a technology as potentially invasive of Americans' right to pri-
vacy should not occiu* merely by executive edict but rather as the result of careful
consideration and passage of legislation by the Congress and by being signed into
law by the President and determined to be Constitutional by the Supreme Coxul.
Only when this has been completed will most Americans accept key escrow. Only
then will Clipper key escrow have a chance of succeeding.
If the Administration does not take immediate steps to introduce legislation defin-
ing the role of key escrow in the U.S., Congress must take decisive steps to do so
itself.
The digital signature standard
The continuing failiare of the U.S. Government to promulgate a Digital Signature
Standard after twelve years of trying is a national economic tragedy. The world of
electronic commerce could have been well along by now instead ofjust getting start-
ed had a standard been established even a few years ago. Those in government who
think they are making great strides with the National Performance Review and the
National Information Infrastructure will soon realize that until there is an effective
DSS, their efforts will be of very limited success.
Make no mistake about it, the reason we have no DSS is because the national
security and law enforcement interests in the U.S. have stymied all attempts to ap-
prove the logical worldwide defacto standard, and they have not been able to come
up with an alternative. And it does not appear that they will succeed in identifying
one any time in the near future.
Congress is well justified in taking the extraordinary step of naming a Digital Sig-
nature Standard based on the worldwide commercial choice. Congress has an obliga-
tion to the American people to allow the U.S. to enter the world of electronic com-
merce before the 21st century. It truly appears that we may never have a DSS oth-
erwise.
61
On export control of cryptography
The widespread availability of crjrptography throughout the world and the ease
with which other countries, including our closest alMes, allow the export of cryptog-
raphy to the U.S. and elsewhere make it imperative that our U.S. Government's reg-
ulation of cryptographic exports move out of the Cold War. Export controls have
been relaxed on every other form of high tech computer and communications tech-
nology. Continuation of crjrptography export controls is only hurting American citi-
zens and businesses.
Law enforcement and national security interests will continue to encounter ever-
growing amounts of encrj^ited communications no matter how many restrictive
steps the Administration attempts to take. We must reahze this basic fact of tech-
nology advancement and stop hamstringing U.S. national economic interests in the
hope that we are helping our national security interests.
It is evident from the Administration's refusal to relax crjrptographic export poli-
cies during the Clipper Interagency Review that the Executive Branch is going to
continue to emphasize the interests of national security and law enforcement over
our national economic interests until we become a third-rate economic power.
Only the Congress can take the steps to balance the interests of American citizens
and businesses against that immovable force. I strongly support the Cantwell Bill,
HR 3627, and the Murray-Bennett initiative, S 1846.
On a national policy on cryptography
All of these concerns reflect the dilemma between the interests of private citizens
and businesses in the U.S. to protect their sensitive information and the interests
of law enforcement and national secvirity to be able to monitor the communications
of our adversaries.
We need a national statement of policy in this country defining what "rights" indi-
viduals and the government can expect in the use of cryptography. Such a policy
might ban the use of cryptography by private citizens or remove all restrictions on
cryptography exports. More ukely, it will seek a compromise to balance our national
economic and security interests. One example of such policy is:
"Good cryptography" shall be available to U.S. citizens and businesses with-
out government restriction.
"Good cryptography is defined as that which is commonly available through-
out the world, presently the Data Encryption Standard and RSA pubUc key
cryptography with a 1024-bit modulus.
"Without government restriction" means without export control or other gov-
ernment regulation.
The Administration must understand that until a fair and open review of such
a national policy is completed, the struggle over the control of cryptography will not
go away.
The Congress can and must play a pivotal role in resolving this dilemma. I strong-
ly urge members of Congress to find a resolution of this issue before our economic
interests are surrendered in the interests of law enforcement and national security.
62
ATTACHMENT 1
o
a
a
0.
I
SI
a.
<
u.
O
M
<
a
UJ
z
UJ
Q
«
O
Q
o
cr
a
z
g
>-
a.
>
a:
o
z
ai
z
g
UJ
cr
o
u.
ft
X X
I
££
515
££££
If
II
-5
S3
f
ISIS
II
63
64
5|!
t
n
t t£
I
*i
§i
n
II
III!
I
I
Uu
1
n
i\
I
n
n
n
}
I
I
65
SIS
II
I
III!
55
I
li
III
11
* 1
1
I!!
3 a
1 1
X z
i'i
i3i
ii
n
!
u
11
^s
'^1
66
67
I
U
i
a .
ijl
68
a
lii
^t
t
I
1
u
i
. • • •
II
!l
11
1
I
}
n
!ii;
If
1.
hi
U
Inuim
u\
69
11
li
ii
1 1
X X
I*
Z m
u
111
* ■ •
if
H
n
n
nun
6]Q ouuuuuuou
I
llllll!!l!lll!lll
11
L^!loi^Lff!lMol^i%
n
12
70
ii
ii
I
iii
«?
it
III
III
ft
II
II
S
u
U
III
HIS
in
III!
;l.
{]
1:
111
1
llillilil!
71
0.
o>
CM
-J
£
0.
<
u.
O
u
<
o
UJ
Ml
a
u
D
O
o
d
Q.
z
o
p
Q.
>
o
z
UJ
o
«
UJ
o
o
I
I
>iZ i
,1
c
2
Jl
n
III
III
!
II
72
•a
I
H
!
i
Ji
II
II
•■?
ii
Hi
73
74
li
II
I
SI
II
1
a
I
I
Vt
I
II
II
_ 8
II
fl
II
£1£
11
1
13
li
75
a
Ol
a
0.
<n
CM
0.
<
u.
O
(0
<
o
UJ
IL
1-
z
u
o
OT
t-
o
O
o
cc
0.
z
o
>
d
o
z
UJ
o
p
OT
UJ
g
UJ
"iisfs's ii U
aoSo ii of
1
lillll n u
1
|535|||li||5||^5
r
i i i i 1 1
.iliiiniiLMi
76
ATTACHMENT 2
COMPANIES MANUFACTURING-AND/OR DISTRIBUTING
CRYPTOGRAPHIC PRODUCTS WORLDWIDE
From the Software Publishers Association survey of cryptographic products as of April 25, 1994.
ARGENTINA
AUSTRALIA
Newnet S.A.
Cybanim Pty Ltd.
Datamatic Pty Ltd.
Eracom Pty Ltd.
Eric Young
Loadplan Australasia Pty Ltd.
LUCENT
News Datacom
Randata
Robust Software
Ross Williams
Sagem Australasia Pty Ltd.
TRAC Systems
Tracom
AUSTRIA
BAHRAIN
BELGIUM
CANADA
Schrack-Dat
International Information Systems
Cryptech NV/SA
GSA Ran Data Europe
Highware, Inc.
UninaSA
Vector
A.B. Data Sales, Inc.
Concord-Eracom Computer Ltd.
Isolation Systems
Mobius Encryption Technologies
Newbridge Microsystems
Northern Telecom Canada Limited
Okiok Data
Paradyne Canada Ltd.
1
77
Secured Commimication Canada 93, Inc.
DENMARK Aarhus University, Computer Science Department
CryptoMathic
GN Datacom
Iversen & Martens A/S
LSI Logic/Dataco AS
Swanholm Computing A/S
FINLAND
Antti Louko
Ascom Fintel OY
Instrumentoiti OY
FRANCE
Atlantis
CCETT
CSEE • Division Communication et Infotmatique
CSIL
Cryptcch France
Dassault Automatismes et Telecommunications
Digital Equipment Corporation (DEC), Paris
Research Lab
Incaa France S A.R.L.
LAAS
Philips Communication Systems
Rast Electronics
S A. Gretag
Sagem
Smart Diskene
Societe Sagem
GERMANY AR Datensichemngssystemc GmbH
CCI
CE Infosys GmbH
Concord-Eracom Computer GmbH
Controlwarc GmbH
Data Safe
Dynatech-GesellschaA fiir Datenverarbeitung
GmbH
EuroCom EDV
FAST Electronic
Gliss & Herweg
GMD
Gretag Elektronik GmbH
78
KryptoKom
Markt & Technik Software Partners Intl. GmbH
Paradyne GmbH
Siemens
Smart Diskette GmbH
Tela Versichening
Tele Security Timmann
Telenet Kommunication
The Compatibility Box GmbH
Tulip Computers
im-MACO GmbH
GREECE
G J.Mcssaritis & Co. Ltd.
ORCO Ltd.
HONG KONG
News Datacom
Triple D Ltd.
INDIA
Chenab Info Technology
IRELAND
Eurologic Systems, Ltd.
Renaissance Contingency Services, Ltd,
Shamus Software Ltd.
ISRAEL
Algorithmic Research Ltd.
ELYASIM
News Datacom
TADIRAN
ITALY
Incaa SRL
Olivetti
Ratio Sri
Tclvox s.a.s.
Unlautomation
JAPAN
Fujitsu Labs Ltd.
Japan's National Defense Academy
Paradyne Japan, KK
Yokohama National University
LUXEMBORG
MALTA
Telindus SA
Shirebum Co. Ltd.
79
NETHERLANDS
Ad Infinitum Programs (AIP-NL)
CRYPSYS Data Security
Concord Eracom Nederland BV
Cryptech Nederland
DigiCash
DSP International
Geveke Electronics BV
Incaa Datacom BV
Incaa Nederland BV
Repko BV Datacomms
Verspeck & Socters BV
NEW ZEALAND
LUC Encryption Technology, Ltd. (LUCENT)
Peter Gutmann
Peter Smith and Michael Lennon
NORWAY
BDC Bergen Data Consulting A/S
Ericcson Semafor
PDI
Scand PC Sys/Sectra
Skanditek A/S
UMISA
POLAND
PORTUG.AL
SOFT-u.l.
Inforaova
Redislogar SA
RUSSiA
Askri
DKL Ltd.
Elias Ltd.
LAN Crypto
RESCrypto
ScanTech
TELECRYPT. Ltd.
SAUDI ARABIA
SINGAPORE
Info Guard Saudi Arabia
Communications Systems Engineering Pty. Ltd.
Digitus Computer Systems
SOUTH AFRICA
BSS (Pty) Ltd.
Computer Security Associates
80
EFT
InfoPlan - Division of Denel P/L
Intelligent
Nanoteq
Net One
Siemens Ltd.
Spescom
Technctics
SPAIN
Asociacion Espanola de Empresas de Informatica
Asociacion Nacional de Industrias Electronicas
Redislogar Comminicaciones SA
SECARTYS
Sinutec
Tccnitrade Int. SA
SWEDEN
AV System Infocard
Ardy Elektronics
Au-System Infocard AB
COST Computer Security Technologiej
International
DynaSoft
QA InformatLk AB
SONOR Crypto AB
SecuriCrypto AB
Stig Ostholm
Tomas Tesch AB
S^^^TZERLAND
ASCOM Tech AG
Brown-Boveri
Crypto AG
ETH Zurich
Ete-Hager AG
Gretag AG
Incaa Datacom AG
Info Guard AG
Omnisec AG
Organs
Safeware
UK
Aiitech Computer Security
British Telecom
Business Simulations
81
Cambridge Electric Industries
Codepoini Systems Ltd.
Compserve Ltd. Compserve Ltd.
Computer Associates
Computer Security Ltd.
Cylink Ltd.
Data liuiovatioQ Ltd.
DataSoft IntemationaJ Ltd.
Datamedia Corporation, Ltd.
Digital Crypto
Dynatech Communcations Ltd.-{Northem ofRce)
Dynatech Communication Ltd.
EngRus
Fulcnim Communicatioas
GEC-Marconi Secure Systems
Gelosia
Global CIS Ltd.
Gretag Ltd.
Honeywell
IT Security International
ITV
IncaaUK
Interconnections
International Data Security
International Software Management
J.R.Ward Computers Ltd.
JPY Associates
Jaguar Communications Ltd.
Janus Sovereign
Loadplan
Logica
UK Marconi
Microft Technology Inc.
Micronyx UK Ltd.
Micronyx UK Ltd.
Network Systems
News Datacom
Northern Telecom Europe Limited
PC Security Ltd.
PPCP
Paradyne European Headquarters
Plessy Crypto
Plus 5 Engineering Ltd.
82
Prosoft Ltd.
Protection Systems Ltd.
Racal
Racal Milgo
Radius
S&S International
Shareware pic
Sington Associates
Smart Diskene UK
Smith's Associates
Softdiskette
Sophos Ltd.
Stralfors Data
Sygnus Data Communications
The Software Forge Ltd.
Time & Data Systems
Tricom
University College London
Widney Ash
Zergo
Zeta Communications Ltd.
USA 3COM Corp.
ADT Security Systems
AO Electronics
AOS
ASC Systems
ASD Software Inc.
ASP
AST Research
AT&T
AT&T Bell Laboratories
AT&T Datotek Inc.
Access Data Recovery
Advanced Computer Security Concepts
Advanced Encryption Systems
Advanced Information Systems
Advanced Micro Devices, Inc. (AMD)
Aladdin Software Security
American Computer Security
Anagram Laboratories
USA Applied Software Inc.
Arkansas Systems, Inc.
83
Ashton Tate
BCC
BLOC Development Corporauon
Banyan
Bi-Hex Co.
Borland
Braintree Technology
Burroughs
CE Infosys of America, Inc.
Casady and Greene
Centcl Federal Systems Inc.
Centra] Point Software
Certus Intcnnational
Cettlaji Corp.
Chase Manhattan Bank, N.A.
Clarion
Codex Corp.
Collins Telecommunications Products Division
Command SW Systems
Comracrypt
Communication Devices Inc.
Complan
Computer Associates International, Inc.
Contempor^y Cybernetics
Cryptall
Cryptech
Cryptex/Gretag Ltd.
CyliiJc Corp.
Cypher Comms Technology
DSC Communications
DataBase International
DataJcey Inc.
Datamedia Corporation
Datamedia Corp. (DC Area)
Datawatch, Triangle Software Division
Datotek, Inc.
Dell Computer
Digital Delivery. Inc.
Digital Enterprises Inc.
Digital Equipment Co^roration (DEC)
Digital Pathways
Docuiel/Olivetti Corp.
Dolphin Soft>A-are
8
84
Dowty Network Systems
ELIASHIM Microcomputers Inc.
EMUCOM
Enigma Logic, Inc.
Enterprise Solutions Ltd.
Fairchild Seminconductor
Fifth Generation Systems, Inc.
Fischer International
Front Line Software
GN Tclematic Inc.
GTE Sylvania
Gemplus Card International
General Electric Company
Glenco Engineering
HYDELCO, Inc.
Hawk Technologies Inc.
USA Hawkeye Grafix, Inc.
Hilgraeve, Inc.
Hughes Aircraft Company
Hughes Data Systems Inc.
Hughes Network Systems - California
Hughes Network Systems - Maryland
Hybrid Communicatior •>
INFOSAFE
Incaa Inc.
Info Resource Engineering
Info Security Systems
Information Conversion Sevices
Information Security Associates, Inc.
Information Security Corp.
Innovative Communications Technologies, Inc.
Intel
Internationa] Business Machines (IBM)
Inter-Tech Corp.
Isolation Systems, Inc.
Isolation Systems, Inc.
John E. Holt and Associates
Jones Futurex, Inc.
Kensington Microware Ltd.
Kent Marsh Ltd.
Key Concepts
Kinetic Corp.
LUCENT
85
Lassen Software, Inc.
Lattice Inc.
Lexicon, ICOT Corporation
Litronic Industries (Information Systems Division)
Litrooic Industries (Virginia)
Lotus
MCTcl
Maedac Enterprises
Magna
MarkRiordan
Massachusetts Institute of Technology
Matsushita Electronic Components Co.
Mergent International
Micanopy MicroSystems Inc.
Micro Card Technologies, Inc.
Micro Seoirity Systems Inc.
MicroFrame Inc.
Microcom Inc. (Utilities Product Group)
MicroLink Technologies Inc.
Micronyx
Micro rim
Microsoft
Mika,L.P.
Mike Ingle
Morning Star Technologies
Morse Security Group, Inc.
Motorola
NEC Technologies
National Semiconductor
Network- 1, Inc.
Networking Dynamics Corp.
Nixdorf Computer Corporation
Northern Telecom Inc.
Norton
Novell
OnLine SW International
Ontrak Computer Systems Inc.
Optimum Electronics, Inc.
USA Otocom Systems Inc.
PC Access Control Inc.
PC Dynamics Inc.
PC Guardian
PC Plus Inc.
10
86
Paradyne Caribbean, Inc.
Paradyne Corporation
ParaJon Technologies
Persona] Computer Card Corp.
Pinon Engineering, Inc.
Prime Factors
RSA Data Security, Inc.
RSA Laboratories
Racal Datacom
Racal-Guardata
Racal-Milgo USA
Rainbow Technology
Raxco
Rothenbuhler Engineering
S Sqtiared Electronics
SCO
SVC
Safetynet
Samna Corp
Scrambler Systems Corp.
Sector Technology
Secur-Data Systems, Inc.
Secura Technologies
Secure Systems Group Intemationl, Inc.
Security Dynamics
Security Microsystems Inc.
Semaphore Communications
Sentry Systems, Inc.
Silver Oak Systems
SmartDisk Security Corp.
Software Directions, Inc.
Solid Oak Software
SophCo, Inc.
Sota Miltopc
Stellar Systems Inc.
Steriing Softw.-arc Inc. (Dylakor Division)
Sterling Software Inc. (System SW Marketing
Division)
SunSoft
Symantec
TRW, Electronic Product Ltd.
Techmar Computer Products, Inc.
Techmatics, Inc.
11
87
Technical Communications Corp. (TCC)
Telequip Corp.
Terry Riner
Texas Instruments, Inc.
The Exchange
Thumbscan, Inc.
Tracor Ultron
Trigram Systems
Tritron Sytcms
Trusted Information Systems, Inc.
UNIVAC
USA UTI-MACO Safeguard Systems
UUNet Technologies, Inc.
United Sofhvare Security
Uptronics, Inc.
VLSI Technology, Inc.
Verdix Corp. (Secure Products Division)
ViaCrypt
Visionary Electronics
Wang Laboratories
Wells Fargo Security Products
Western DataCom Co. Inc.
Western Digital Corporation
Westinghouse Electric Corp.
WordPerfect
XTree
Xetron Corp.
Yeargin Engineering
Zenith Data Systems
hDC
usrESZ Software, Inc.
YUGOSLAVL«i Sophos Yu d.o.o.
12
88
Senator Leahy. Now, let me ask you this. On this program, how
difficult would it be to decrypt it?
Mr, Walker. Well, we have the decrj^jtion program in there on
your phone and it is doing the decryption. You mean how difficult
would it be for someone else?
Senator Leahy. Yes; let us say that it is somebody else.
Mr. Walker. This is standard DES, which is 56 bits of key. As
Ray Kammer said, DES has served us very well for 17 years. It
would take — well, there was an estimate last summer at the crypto
conference that if you built a special purpose device for $10 mil-
lion— this was actually an engineering estimate of some detail —
you could exhaustively check the key space of DES in 3.5 hours,
and that is the fastest that anyone has ever regularly predicted
that.
Senator Leahy. But Clipper Chip would take a lot longer than
that.
Mr. Walker. Clipper is 80 bits, and it is 2 to the 56th versus
2 to the 80th and it is 16 million times harder to do Clipper, so
Clipper is very strong. Of course, and I don't want to hammer this
too hard, but the question of what we do if DES gets too weak —
well, one thing to do is to back up essentially DES processes to-
gether— it is actually three of them — and you can double the key
length. So you can go to 128 bits with DES with the algorithms
and with the software that is already available.
Senator Leahy. With this, if you were sending something to me,
I have got to know the key,
Mr, Walker. That is right.
Senator Leahy. One, I have got to have the program, but then
I have got to know which key to use.
Mr. Walker. Yes; and if you were to use it as a telephone you
would like to set it up like the — well, if you want key escrow, you
can run it the same way that the exchange of the key happens with
the Clipper, If you don't like key escrow, you can do it the way they
did it in the P version, which doesn't have key escrow. We could
have, in fact, set up that same key exchange process. We just didn't
have the time to do it.
Senator Leahy, Now, you have linked them by an independent
line, but you could have done this over regular telephone lines,
couldn't you?
Mr. Walker, That is right, yes, sir.
Senator Leahy. And if you wanted to talk to your employees in
London from an office in Maryland, you could use the same com-
puter program to scramble those kinds of conversations?
Mr. Walker. Yes.
Senator Leahy, And data transmission, also?
Mr. Walker. Yes; we have an alternative to PGP called Privacy
Enhanced Mail, which is essentially the same kind of functionality
that was talked about in the Wall Street Journal the other day.
Some folks in England want it, the Ministry of Defense, in fact,
and we have not been able to sell it to them because of the export
laws.
The specs for PEM are internationally available and so we actu-
ally hired a scientist in England to rewrite the code from scratch
using DES £ind RSA that is already available in England, and we
89
have demonstrated that to the British Ministry of Defense. They
can buy it in England. We can't sell them our stuff here, so we
have essentially done a second implementation. The irony is that
the British export laws are such that we may well be able to export
to the U.S. the version that we built in England which, of course,
we couldn't ever send back to them.
Senator Leahy. Now, the administration has stated that the use
of key escrow encryption is going to be voluntary even for Federal
agencies, and that no alternative encryption system is going to be
outlawed.
Mr. Walker. Yes; that sounds very good.
Senator Leahy. Then what is the concern? If that is so, why is
there concern about Clipper Chip?
Mr. Walker. If that is so and if the numbers that I have pro-
jected down here are also right, one shouldn't have a concern about
it. One is not certain that that is going to remain so forever,
though. I mean, I am fearful that they are going to realize in 4 or
5 years, you know, this just isn't working; we are still having a
problem. Then they will change the rules and it won't be voluntary.
Senator Leahy. Yes; you are saying if Clipper Chips are not ac-
cepted on a voluntary basis. Then what do you think they are going
to say? Whether you have got Clipper or DES or Pretty Good Pri-
vacy, or whatever, you have got to have a key escrow feature?
Mr. Walker. It is clear — and I want to be very clear. I sym-
pathize greatly with the law enforcement and the national security
interests in this, and I am not trying to make their lives harder
in this. As I was talking to the admiral just before we started here,
he said this all started back when Admiral Inman let DES out.
Well, indeed, that is the case. DES got out of the bag in 1976 or
1977 and we are now seeing it available around the world.
Their job, unfortunately, is going to get much harder whether we
impose key escrow or whether we continue to control export control
or not. I don't want to make their job harder, but I don't think it
is reasonable for them to sacrifice U.S. national economic interests
in the interest of keeping something that is already out of the bag
and is eventually going to make life very difficult for them anyway.
Senator Leahy. Unless they require the key escrow feature with
everything.
Mr. Walker. Indeed; key escrow, though, as we have seen in
these devices and in the Tessera cards that are part of the Cap-
stone Program, requires that it be done in hardware. I am a mem-
ber of the NIST Software Escrow Alternatives Committee, and we
indeed have met bimonthly, not biweekly, and we are struggling
with whether there is any alternative here.
To require key escrow that you can't defeat trivially, you have to
do it in hardware, and the whole point of this demonstration and
thousands of others like it is encryption is available in software. No
one is going to want to put key escrow along with this if, in fact,
they have to add hardware to this when they already have it with-
out it. So making a law that says you have to have key escrow will
be one of the most significant laws that no one pays attention to
that we have had in a long time.
Senator Leahy. We have had a few of those over the years.
90
Mr. Walker. Indeed; I mean, it's Prohibition all over again. It
is going to be fun.
Senator Leahy. I am too young to remember; that was before my
time anyway, but I remember some of the stories my father told
me about that.
You talk about NIST. Mr. Kammer, when he was testifying, said
that NIST is open to other approaches. One, do you feel it is? I
mean, you are serving with that advisory committee. Secondly, are
there alternatives to Clipper Chip that could serve the objectives
of protecting the privacy of communications, but not irreparably
damage some of our national security and law enforcement needs?
I should emphasize in this that I am convinced both from open
hearings and classified hearings that we have some very, very seri-
ous law enforcement needs and we have some very, very serious
national security needs.
Mr. Walker. I agree.
Senator Leahy. In the national security area, I don't worry so
much, as I have said on many occasions, about an army marching
against us or a navy sailing against us, or an air force, because we
are far too powerful for that. I am far more worried about a well-
organized, well-directed, well-motivated terrorist group coming
from abroad, one that could cause enormous physical damage as
well as psychological damage. One that, I don't think it would be
stretching it too far to say, could cause real damage to our constitu-
tional liberties and our constitutional way of doing things, more so
than the armies of World War I and World War II. Such a group
could suddenly make us question everjrthing from our search and
seizure laws to our freedom of speech laws. That, as an American
and one who has seen the importance of those constitutional safe-
guards, bothers me very much.
So do you see such alternatives?
Mr. Walker. Well, there are alternatives that people have talked
about. Sylvia McCauley at MIT has proposed for some time, and
indeed apparently has some patents on some key escrow tech-
nologies. Basically, those end up being voluntary unless you can —
I mean, easy to bypass is what I mean, making them — the law en-
forcement people can't insist that this is, in fact, going to be im-
posed everytime, and that seems to be a real hangup with the ad-
ministration that if it is not something that can be imposed
everytime it is used, then they are not interested in it. Unless we
reorder the way in which we build our computers and our tele-
phones, it is going to be very difficult, without something like the
Clipper or the Capstone chip, to be able to have this happen
everytime.
To your other point, I think this is why I have come to the con-
clusion after thinking about this for a year that we have a national
dilemma here — the difference between individuals' rights to privacy
and the law enforcement and national security needs. That is why
I think it is so important that this be submitted for legislation and
let all sides have their say and let the Congress decide whether we
should impose this or not.
I really am not sure there is any other way to get out of this one.
I mean, wiretaps are not an attractive thing to individuals, but we
have decided that under certain circumstances wiretaps are OK.
91
We may well decide that key escrow is OK. It certainly does pro-
vide advantages if it becomes widely used, but I don't think — as the
administration is now proceeding with this essentially on its own
without any legislation, without any other use of the separation of
powers of the Constitution, I don't think Americans are going to
buy Clipper escrow devices, and so it is not going to achieve what
they want.
If we considered legislation and as a country we decided this is
the thing we need, for exactly the reasons that you were just giv-
ing, then fine. I will go along with it. I don't actually have that big
a problem if our government is using — I mean, what I am suggest-
ing is we put the key escrow center in the judiciary so that nobody
in the executive branch supposedly can twist their arms.
We are in a situation where we have to trust our government for
a certain amount of things. We shouldn't have to trust it for any
more than we have to, and everytime we do something like this we
should use all the separation of powers that we can. Put the en-
forcement in the executive branch, put the decisionmaking about
the keys in the judicial branch, and keep them separate. It is the
best system we have got and we should be using it.
Senator Leahy. Mr. DifTie, how do you feel about this?
Mr. DiFFlE. Well, as I said, my first response to this is to look
broadly at the technical resources of law enforcement and say, if
you see the expanding possibilities not only of electronic surveil-
lance but of DNA fingerprinting, of recognition of people in infrared
photographs and a whole range of things that have become avail-
able to law enforcement as investigative and enforcement tools, it
seems very clear that the failures of law enforcement in contem-
porary society are not failures of their technical capabilities.
On the other hand, the introduction of new technologies into soci-
ety brings up the problem of how we embody existing traditions,
values, procedures, et cetera, in using those technologies, and I
think that is a thoroughly legitimate question about the way in
which cryptography will be deployed. In talking about the intrinsic
character of key escrow in storage cryptography, I was citing one
example of that kind of thing.
Senator Leahy. But you don't question, do you, the fact that
there can be some very, very legitimate national security interests
in knowing, for example, what kinds of communications might be
sent from a country hostile to us or known to harbor and protect
terrorists to people here in the United States, and that in protect-
ing our national security there may be a very real need to know
what was in that communication on a realtime basis?
Mr. DiFFiE. I don't doubt the value of communications intel-
ligence. When you are talking about explicitly communications of
terrorist groups that are foreign state-supported, I see no reason
that the foreign state should be any more hesitant to supply them
with COMSEC equipment than they are to supply them with AK-
47's.
Senator Leahy. You think that what they would do is give them
the kind of communication equipment that we might not be able
to decipher anyway?
Mr. DiFFlE. Well, you know, there has been a lot of pessimism
in amateur circles over many years about communications Intel-
92
ligence. The fact is that communications are quite hard to protect,
and one of the important things about the sort of devices like the
PSD 3600 is that they protect some aspects of your communica-
tions, but they don't do anything to protect the traffic analysis, the
trap and trace, the pen registers, and all of that. So I think that
you really have to take a comprehensive view of the communica-
tions intelligence and investigative techniques when you ask what
the impact of cryptography applied at one level or another is going
to be.
Senator Leahy. Do you see the need for the ability to find out
what somebody is sa3dng, on a realtime basis for law enforcement
inside our country? Consider a criminal holding somebody hostage
for a ransom and threatening that if the ransom is not paid by a
certain time, the person is going to be killed. We want to know
where the communications are going, to try and determine where
that person might be, with the possibility of a rescue prior to the
person being killed. I mean, this is not a fanciful movie-of-the-week
but could be a real-life situations.
Mr. DiFFlE. That is a very good example when you are talking
about trying to trace calls, finding out where people are, and so
forth. That is something which modern communications technology
has made an overwhelming improvement in. If you look at the con-
ventional wiretap, it is not so vastly much better than putting a
bug in somebody's room. It is placed on what is called the local loop
and it gives you access to the communications on the local loop
with very little, if any, information about where calls are coming
from.
If you look at modem communications intercepts inside digitized
telephone systems, you are getting realtime information about
where calls came from even if they are long distance.
Senator Leahy. But you might not know what the call is if you
don't know who is on there.
Mr. DiFFlE. I don't doubt that it is possible to construct a par-
ticular scenario that emphasizes any individual investigative tech-
nique. What I am trying to point out here is that the overall
growth in investigative capability that has flowed from the changes
in telecommunications gives law enforcement a wide range of new
things that they can do that they couldn't do in the past, and that
for them to accept those gleefully and then try to turn to any indi-
vidual element with which they are now having more trouble with-
out taking account of the fact that that is made up for by other re-
sources is to give an unfair impression of the relative importance
of particular investigative techniques versus very serious privacy
concerns for business and individuals.
Senator LEAHY. Mr. Walker, what happens on the global elec-
tronic superhighway if Clipper Chip becomes the U.S. standard for
encryption but other countries don't want to let it in?
Mr. Walker, We will have a U.S. superhighway and we won't be
part of what is happening elsewhere. If I might add just a minute
to the comments that Whit was saying, yes, there is the possibility
that some vital event will happen which we may lose to encrypted
communications, but I think we have to balance that on the other
side.
93
I participated 2 years ago in hearings with Congressman Brooks
on foreign industrial espionage and, essentially, U.S. business is
wide-open en masse right now to communications intercepts any-
where in the world, and we do not have cryptography available on
our laptops as part of Microsoft's products or Novell's products or
WordPerfect's products because we can't export it from this coun-
try. We don't have it ourselves either. You don't have it routinely
available and neither do I. m j /^
So, yes, there is a concern that some event, a World Trade Cen-
ter bombing, or whatever, may occur and we may lose something
with that, but we are at grave risk that all of our technology that
we are passing over the United States or global superhighway is
wide-open at this time, and sometime we have to fmd a balance be-
tween the possibility of an event like a World Center Trade bomb-
ing employing cryptography and the absolute certainty that all of
our industrial information is passing in the clear around the world,
easy for our adversaries, governments and other countries, to pick
off and listen to.
We have got to fmd a balance between those, and the balance
has just swayed so far in favor of national security and law enforce-
ment that it is going to eventually result in making the U.S. a
third-rate power before we realize how significant that is.
Senator Leahy. Larry?
Senator Pressler. Well, thank you very much, Mr. Chairman.
You may have covered this already, and if you have I apologize.
I have been dealing with other committees this morning. As you
are aware, critics of the administration's proposal argue that, as a
practical matter, no criminal or foreign spy or terrorist of any so-
phistication would be foolish enough to us an encryption device de-
signed by the NSA and approved by the FBI.
Why do we feel that people whose telecommunications the NSA
and FBI want most to decode will be the very people most likely
to use this technology?
Mr. Walker. I suspect you should have been here during the
previous people testifying. We agree with you.
Senator Leahy. We spent about 2 hours going through that one.
Senator Pressler. OK.
Mr. Walker. We don't disagree with the assertion that— well, I
will say specifically this is an AT&T 3600 that does not use key
escrow. It is currently for sale. There is a Clipper version that is
also for sale. I think people who have any sense that they may be
wiretapped are going to go to their AT&T store and buy this one
rather than the Clipper one, for exactly the reason you mentioned.
Senator Pressler. Well, are there sufficient safeguards in the es-
crow system? You would have to have a court-authorized wiretap,
and I guess two agencies would have to be involved. It sounds to
me as though there are some fairly extensive safeguards built in.
Mr. Walker. My personal opinion is with law enforcement oper-
ating within the law, the procedures that they are establishing—
I have been briefed on this several times on the Computer System
Advisory Board and other things — are going to be sufficient for
this, law enforcement operating within the law.
I am concerned that law enforcement operating outside of the
law doing something that is not authorized — these procedures may
94
not be good enough for that. I am not sure that you could ever have
procedures that are good enough for that, which is the concern
about establishing key escrow as a mechanism anyway, in any
case, and why I believe we need to have legislation to review
whether we really want this or not.
Mr. DiFFlE. I think my understanding is that in the early 1940's
when Japanese Americans were interned, the information that was
used to identify them was, in part, census information that was
very explicitly legally — clear legal impropriety in using the census
information for this purpose.
I think when we think about creating what the escrow system
might become — that is, a repository of keys that could be used to
read a vast amount of American traffic — we are considering creat-
ing a vulnerability, a very long-term vulnerability in the U.S. Com-
munications System. In these discussions, it is always important to
emphasize that as valuable as telecommunications are to us at
present, they will be more valuable in the future. They will be
more the essence of our society in a few years than they are now.
So I am very worried that we are creating something that is a
fundamental danger to the security of our communications system
under the guise of an improvement to the security of our commu-
nications system.
Senator Pressler. Now, Mr. Walker, you describe how present
U.S. laws prohibit the export by your company of encryption prod-
ucts. Are you in favor of eliminating those laws completely? If not,
what should be exported and what should be prohibited?
Mr. Walker. I believe that there needs to be a balance found be-
tween super-good cryptography that is used by the U.S. Govern-
ment to protect its classified information — I don't think that should
be exported. What I am suggesting is things that are routinely
available throughout the world ought to be able to be exported by
the United States.
We have relaxed export controls on every kind of computer and
telecommunications in the last couple of years except that involving
cryptography. In the survey we are doing, which is done at a very
low budget without a whole lot of fancy people working on it, we
have found a very large number of DES and better products that
are available throughout world. Why is it that U.S. companies are
excluded from being able to participate in that?
So I am not suggesting that we ban export controls on cryptog-
raphy as a whole. I am saying let us find what the level is that
is available routinely around the world and establish that as the
basis where U.S. companies can participate. If U.S. companies can
participate in exporting things like DES, then you will find
Microsoft and Novell and WordPerfect including encryption in their
products so that when you want to protect a file from someone else
reading it or when some company wants to use this to protect their
very sensitive information, they will have the tools available to do
it.
We do not have control in this country of the internal use of cryp-
tography, but the use of export control has been so strong that it
has, in effect, created a control of its use within the United States.
It is legal to use DES to encrypt your Microsoft files, but you won't
find a product that lets you do that relatively easily because the
95
people who build those products can't sell it to half the market that
they have.
So we are in a situation which requires some degree of sense ap-
plied to it. Don't ban the export of cryptography in general. Good
systems, military use systems, should not be exportable, but rou-
tine things that are available in the bookstores in London and in
Germany and in Australia and South Africa — we ought to be able
to sell those, too. That is what I am seeking, and I believe that is
what the Cantwell and the Murray bills, in fact, are seeking to do,
and I strongly encourage that the House and the Senate pass those
as quickly as possible.
Senator Pressler. Thank you very much.
Senator Leahy. Thank you. We will take a 2-minute recess to
allow the next panel to set up.
[Recess.]
Senator Leahy. During the break, someone asked me the num-
bers, and I reversed the cost estimate. NIST has estimated that
$14 million is the cost of setting up the Key Escrow System, and
$16 million is the annual maintenance cost. I forgot who asked me
the question, but I hope they are still in the room. I wanted to cor-
rect it if I gave it just the other way around.
Admiral McConnell is the Director of the NSA, the National Se-
curity Agency, and has been for a couple of years. Before that, he
served as head of the Intelligence Department of the Committee of
the Chiefs of Staff of the U.S. Armed Forces. The admiral has been
most patient in listening. By the end of this day, he and I will
probably have heard more than either one of us ever wanted to
hear on this subject.
Admiral I appreciate your being here because your involvenient
is absolutely essential in getting any resolution on this. I might
note for the record that I appreciate the amount of time you have
spent personally with me on this, and that the time your staff has
spent. It has been very, very helpful, and I must say in my experi-
ence in 20 years in dealing with those in the intelligence agencies,
I have never had anybody be more cooperative or more forthcoming
than you have and I just wanted to publicly commend you on that,
especially since some of the things that you are cooperative about
I can't publicly thank you for, but I thank you in general.
Gro ahead.
STATEMENT OF ADMIRAL J.M. McCONNELL
Admiral McCONNELL. Mr. Chairman, I appreciate the oppor-
tunity to comment. As you know, I have submitted a statement for
the record, but in the interests of time I would like to just make
a few brief comments.
I noted that you started earlier this morning — it seems like
hours and hours ago now
Senator Leahy. It was.
Admiral McConnell. About the CNN/Time poll; 80 percent of
Americans were against this. Just for interest, I pursued that a bit
to read the question that was asked. Although the question wasn't
published, it was stated in a way with pejoratives three times
along the way to basically come down to, do you want the govern-
ment reading your communications, as opposed to stating it in a
96
way to say this is not an enhanced or additional authority for the
government to do its law enforcement mission, which includes le-
gally authorized wiretaps. So I think the question was probably a
little bit biased in the way it was asked.
Sir, your letter asked me to address what was NSA's role in this
whole process, and it can be summed up very succinctly. We were
the technical adviser to NIST that you heard from earlier and to
the FBI and the Department of Justice. The FBI, in the legislation
that they have submitted, recognized that they had a problem with
the communications process going from analog to digital, referred
to popularly as the digital telephony legislation. In conjunction
with that, they began to appreciate the potential impact of
encryption.
They came to us, as did NIST, in our role as directed under the
Computer Security Act of 1987, and asked for technical assistance.
Quite frankly, this was a very tough technical challenge for us. We
sat down to sort through potential technical solutions and what we
came up with was escrowed key.
Now, I would like to make the point that you only have three
choices if you are going to encrypt something. You can use
encryption that is exploitable, meaning that it is neither, not of suf-
ficient key length or there is a weakness or there is something that
would allow an adversary to break into it. You can use encryption
that is exploitable, or you can use encryption that is unexploitable
but uses an escrowed key. In my opinion, that is where we came
out. We made encryption that is not exploitable. We factored in the
escrow key, for all the reasons that have been enumerated for you
this morning.
NSA has been castigated regularly in the literature on this sub-
ject as being the perpetrator and having sinister motives, and so
on, and I would just like to take a moment here in public to try
to put a little balance on some of those comments.
First of all, NSA has no domestic surveillance function. NSA has
no law enforcement function. We do not target Americans. We have
no direct association with law enforcement other than if we collect
something in our mission of foreign intelligence that would be of
use to law enforcement, we make that information available, just
like we would make it available to any other agency of government
or to the Congress.
The second point I would make is we certainly are a nation of
laws. Our activities are governed by law and we have very exten-
sive oversight not only in the executive branch, but also in the Con-
gress, two committees, and you, of course, served on one of those
committees. That oversight, sir, as you well know, is quite exten-
sive on what we do.
Our mission is to target foreign activities, so anything that NSA
is engaged in is strictly in a foreign context. Now, what are those
things? Military capabilities; proliferation of weapons of mass de-
struction, even the creation of weapons of mass destruction; sci-
entific and technical intelligence on weapons systems and ability of
countermeasures to defeat U.S. systems; and, in fact, military oper-
ations, and you could extend it on to foreign government actions
that would either harm their neighbors or would harm the inter-
97
ests of the country. All of those are very important things, and let
me just use a current example.
Most who have focused at all on foreign relations are concerned
about the events in North Korea. North Korea either has or they
intend to build a nuclear weapon. They have a missile system that
has a current range, we estimate, in the neighborhood of 1,000 km.
They intend to build missiles with capabilities beyond 1,000 km.
Now, that is of interest to the United States and it is of interest
to our allies, the South Koreans, the Japanese, and others.
NSA's interest in this thing called cryptography and standards,
and particularly international standards, is influenced by our serv-
ice to the Nation to maintain awareness of what is going on in the
world that impacts on not only military operations, but the formu-
lation of foreign policy and that sort of thing.
Successful completion of our mission has saved lives not only in
the military context, but in the civilian context, not only for the
United States, but for our allies. We have provided information to
our policymakers for the formulation of foreign policy. We did it
last year, we did it last month, we did it yesterday, and we are
doing it this morning.
Now, what I would like to do — since most of everything that I am
involved with currently is classified and I am unable to speak free-
ly on it, I want to try to give this a sense of relevance by speaking
to a historical context.
In World War II in the Atlantic theater, the United States and
Great Britain collaborated to break the communications of the
enemy. Through the ability to read the communications of the
enemy, we knew when they were planning battles, with what level
force. We knew how to engage, when and where, and when it was
to our advantage.
The U-boat force, the submarine force, was approaching success
in shutting down the flow of war materials going from the United
States to England and to Europe. The success in code-breaking al-
lowed the United States to either circumvent the U-boats or to sink
them. It made an incredible difference. Historians have credited,
now that this information is public, World War II coming to com-
pletion in Europe, if not 2 years, at least 18 months, sooner than
it would have otherwise.
Now, let me switch to the Pacific. The United States succeeded
in breaking the code of the enemy in the Pacific. Because of that,
with an inferior naval force, we immediately started to enjoy naval
victory. The first was on the Coral Sea, the battle of the Coral Sea,
and the second was at Midway. At the battle of Midway, the tide
was turned.
Now, it is very interesting what happened in this historical con-
text. The Coral Sea and the battle of Midway occurred in 1942. In
the summer of 1942, a newspaper reporter became aware that the
United States was breaking the communications of the enemy and
it was published in a U.S. newspaper. It became a cause celebre
and was repeated a number of times, and by the late summer the
enemy had changed their communications process.
Coincident with that, the campaign in the Solomon Islands was
initiated. It was long and it was bloody. We could not see their in-
tentions. We did not understand what they were planning to do.
98
Therefore, it cost countless thousands of Hves that, in my view,
could have been avoided if our capability to exploit had been pre-
served.
NSA is involved in this level of activity every day, but as you
well know, it is classified. If I spoke about it in public, what suc-
cess we do enjoy today would disappear. So I use this historical
context to try to provide some weight to what it means to the Na-
tion.
I just would terminate on that particular subject in a current
context by just advising you that the Secretary of Defense and Gen-
eral Powell at the conclusion of Desert Storm came out to NSA to
personally thank the employees, the men and women, of NSA for
the contributions that they made.
Sir, when we were asked to provide a technical solution, if there
was a technical solution to this seemingly intractable problem, we
started with a list of objectives, and I want to give those objectives.
First and foremost, we just made ourselves a list of, as citizens,
how would we like a technical solution to come out.
The first was, contrary to what appears in the popular literature,
enhancement and protection of the privacy of Americans. That was
number one on our list. The second was to protect public and pri-
vate corporate information, business information; to promote U.S.
competitiveness.; and, of course, the last objective was what we
were asked to provide some thought to by Justice and NIST, and
that was to allow law enforcement to monitor criminals or terror-
ists.
We conceived Clipper. It has been referred to here most often as
Clipper. It is actually an algorithm and the name of it is Skipjack.
Clipper is just one application of Skipjack. There are others. As has
been stated earlier, it is 16 million times stronger than the current
Federal standard, which is referred to as DES, or the Data
Encryption Standard.
The idea was to escrow the key, hold it in such a way that it
could be drawn for legitimate purposes. But if you really think
about it for a moment, the auditability of the process and the ac-
countability of the process improves the privacy of Americans over
where it is today. Today, a political opponent, a used car salesman,
a credit research bureau, a rogue cop, could intercept someone's
communications. If they were using the devices that we have dis-
cussed here this morning with escrowed key, then the only way
that you could break that communication would be with some over-
sight provided by a court in a process that is more accountable
than what exists currently.
So I think, in my view, we have struck the proper balance be-
tween privacy protection and law enforcement access. I really be-
lieve when I have thought this through, and I have been working
at it and thinking about it now for some 2 years, that the privacy
of Americans is enhanced, not degraded. It not only is court-author-
ized, but we tried to make it analogous to the way we do nuclear
weapons — two-agency control and two-man control, never allowing
one person to have absolute control of the process. The existing
wiretap authorities have not been expanded, and existing legal pro-
tections, in fact, in my view, have been strengthened.
99
NSA's INFOSEC mission, our mission which is not well known
to most of those who talk about us and most discussions about
what we do against foreign interests in terms of intelligence collec-
tion— we do have another mission, and that is information security
for the government. We make the government's code, and because
we are probably the most robust encryption activity available to
the country, our expertise is drawn upon so we can take some of
that technology that we have, in fact, spent millions of dollars on
to make it available to resolve some of these other problems.
The administration did not take this lightly. They spent some 9
months reviewing it. They solicited and considered industry views.
They concluded at the end of that deliberation that export controls
on cryptography should be maintained as being in the best inter-
ests of the Nation so that it would not damage NSA's mission and
our global responsibilities.
A number of reforms were announcing mandating speeding-up of
the process and easing the regulatory burden to get, in fact, ap-
proved export items of a cryptographic nature exported — key es-
crow products that can be licensed quickly for movement out of the
country so long as it is consistent with national security.
Now, a number of laws have been discussed today, and issues
discussed today, and I think our two previous speakers captured it
very eloquently. What I heard was one discussion of privacy and
another discussion of profit motive or being motivated to do this be-
cause it may have some impact on U.S. business.
I would just highlight that there are other rules and regulations
that people find offensive in the privacy sense, but to come into
this hearing today I was electronically searched. To get on an air-
plane, I am electronically searched. The Congress has decided that
that invasion of privacy is worth it in the interests of public safety.
The same argument is being made with regard to court-authorized
intercept of terrorist or criminal communications. Some would
claim that these and other laws invade privacy. In my view, it is
a balance of that privacy.
Key escrow is a technical solution to a very complex set of equi-
ties. As a matter of fact, at NSA that is how we refer to this issue.
In addition to being a headache, we call it our equities issue.
Whose equities are involved? I go back to what our original objec-
tives were — Americans' privacy, corporate interest, law enforce-
ment, and the competitiveness of U.S. business. So when we weigh
all those equities, at least in my view, and I would say fortunately
in the view of the administration which reviewed this, to include
very active participation by the Vice President — he came down on
the side of the most equities are represented and protected by the
key escrow initiative.
So, that concludes my statement. I would be happy to try to an-
swer your questions.
Senator Leahy. Thank you; skipjack is for voice encryption now.
Are you working on something even faster for data encryption?
Admiral McCoNNELL. Yes, sir. Currently, Skipjack can be made
fast enough to keep up with any current or anticipated application,
but there will be a need to go faster and we will either have to
make Skipjack go faster or have a new approach. One of the things
I might mention is, working for Defense — Defense had asked us to
100
come up with a technical solution for a way to use the information
superhighway to exchange E-mail communications with business,
with contractors, and so on, in a way that would be protected. That
was why Skipjack was invented. The application is something we
call Capstone. It is a PC card that just plugs in and provides you
a lot of the functionality that has been discussed earlier.
When the FBI and Justice presented us with this other problem,
we just took the Skipjack algorithm and applied it to basically a
voice-only problem. Now, so far in the administration's review, the
only thing that they have authorized in this FIPS, or this standard
which is published by NIST, is for the voice and a low data rate
application only. Where we are proceeding with Capstone, or this
application for the Defense Department, that is strictly for govern-
ment use, and whether it is going to be made available to the pub-
lic and become a voluntary standard, and so on, is yet to be deter-
mined.
Senator Leahy. I think your discussion of the Pacific battles was
illustrative. Without going into any specific case, the hypothetical
I used earlier today about threats from terrorist organizations —
would you say that is a realistic hypothetical?
Admiral McConnell. Sir, I thought Mr. Walker made a compel-
ling argument for what is out there, and I just would highlight —
and this is difficult for me to answer because it gets into sources
and methods.
Senator Leahy. Well, maybe I should ask it this way. Is it your
estimation as one who deals with the security of this country that
the United States, like most other Western nations, is not immune
from terrorist threats from abroad?
Admiral McCONNELL. No, no, sir, not at all.
Senator Leahy. That is basically my question.
Admiral McConnell. Not at all.
Senator Leahy. Do you know whether foreign governments
would be interested in importing key escrow encryption products to
which they, not the U.S. Government, hold the keys?
Admiral McCONNELL. Sir, this is a very interesting question and,
in my view, when we have entered into discussions with our coun-
terparts— we have counterpart relationships, as you are aware, and
I would say that we in this country are probably a little further
along in the decision process than some of our allies.
You used an example earlier, if you wanted to import cryptog-
raphy into France, and I found it very interesting that you used
France as your example because you can't import cryptography into
France. When we have talked to our business partners, those that
we deal with in the private sector, we frequently are asked, why
can't you get my products into France? Well, the French pass laws
that say you can't do that. They are going through this deliberation
in the EC and in Europe and in the individual countries of Europe
to determine how they are going to address this problem.
I just would use a phrase that I used when we had an oppor-
tunity to meet with the Vice President and discuss this issue and
when we were coming to closure for decision. I said, sir, if you lis-
ten to the argument that unexploitable encryption should be avail-
able in this country to be exported anjrwhere we want to export it
in the world, then you take the problem that we are attempting to
101
solve in this country and make it our allies' problem. Our allies
have problems with criminals and drug dealers and terrorists. Are
they likely to allow U.S. firms to import cryptography into their
country that would shut out their law enforcement abilities? So
these questions are very difficult. They are incredibly complex, and
we are going through that process. I don't know exactly how it will
come out.
Senator Leahy. Have we had governments that have asked us,
if we go forward with this, to work out a deal to share keys with
them?
Admiral McCONNELL. There are discussions with my counter-
parts and there are discussions at the law enforcement level. How
it will turn out I can't forecast, but I would say that the objective
of some of the various participants in the discussion is, if there is
a law enforcement problem involving a foreign country and this
technology is used, to work out some process that could help con-
tribute to solving that law enforcement problem.
One of the things I worry about is this is exportable by an Amer-
ican by his own use. Now, he may not be permitted to use it in
some given country because of the laws of that country, but he will
be able to use it in other places. What I worry about is how do I
ensure the privacy of that American who is in a foreign country.
So these are very difficult questions that we will have to work our
way through.
Senator Leahy. But then we could have the possibility of these
keys being in countries other than our own.
Admiral McConnell. Yes, sir, we could.
Senator Leahy. How does a country like France address the
question that if they prohibit encryption devices or encryption pro-
grams that they may be just closed out of the whole information
superhighway entirely?
Admiral McConnell. Currently, the information superhighway
is not encrypted, and that is what
Senator Leahy. But I mean if somebody used Pretty Good Pri-
vacy, for example, on there, it is encrypted.
Admiral McConnell. Yes, sir.
Senator Leahy. I mean, if you have got somebody sitting on the
outskirts of Paris who clicks on to the Internet and if he uses Pret-
ty Good Privacy to encrypt his message and send it to somebody
in San Diego, CA, it is there.
Admiral McConnell. Yes, sir. The laws, as they have been ex-
plained to me, in France are that you cannot import, export or do-
mestically produce encryption without government approval.
Senator Leahy. So, that person would be in violation of the law?
Admiral McConnell. That person would be in violation of
French law in that specific instance. Now, cases are made that this
technology is available around the world, it is on Internet, it flows,
and so on.
Senator Leahy. Especially with the EC and worldwide trade, you
can have companies who have got a branch in France and Italy,
Ireland, the United States, Canada, Mexico, and Argentina. They
may be constantly sending material back and forth, everything
from E-mail to specs and diagrams and blueprints, and want to
102
encrypt it all. Doesn't a country like France get into an impossible
situation if they are suddenly cut out of that loop?
Admiral McCoNNELL. Yes, sir, you can make that argument. So
far, it hasn't gotten to that point. My choice, of course, would be
if it is possible for key escrow standards to be established in a way
that we can work it out with our allies, and so on, and that pro-
tects each person's equities. We don't really know where this is
going.
I want to address the point that was made earlier by one of the
preceding witnesses about the availability of these products. Sir, I
don't deny that you can put something on Internet and it will flow,
but I do a market survey of the globe every day, 24 hours a day,
and what I can report back to you is, as a practical matter, for the
kinds of things that are interested in from a foreign intelligence as-
pect there is not widespread use of some of these things.
Does that mean that there will not be widespread use in the fu-
ture? We are judging human behavior, so we don't know exactly
how that is going to turn out, but of the products that have been
available to us to examine, they are not all as they have been ad-
vertised to be. Now, that is a cute way of saying the real answer
is classified and I will discuss it with you at a later time. The argu-
ments being made in public I have difficulty refuting because what
I know is at a classified level.
Senator Leahy. Well, we are going to go shortly into that part
of the hearing, but let me ask you this. What if the key escrow
encryption chip — say, the Clipper Chip — is not widely accepted on
a voluntary basis? Now, I understand some of the things that are
being done to make it more acceptable, such as the government
buying and the cost going down, and so on and so forth. Would the
intelligence and law enforcement agencies recommend that all
encryption systems — DES, Pretty Gk)od Privacy, whatever else-
have a key escrow feature, with the government holding a dupli-
cate set of the keys?
Admiral McConnell. On a mandatory basis?
Senator Leahy. Yes.
Admiral McCONNELL. That is not the intent of the administra-
tion.
Senator Leahy. Well, would that suffice in order to allow expor-
tation?
Admiral McConnell. Currently, there are products exported
from the country that do not have escrow key. As a matter of fact,
the vast majority of those who desire export
Senator Leahy. They are not as good either.
Admiral McConnell. No, sir. That is correct. Skipjack is no triv-
ial algorithm. I mean, if you were to attack this — ^as it has been
described earlier, as you run something to exhaustion and if it is
robust — if you were to attack it, I mean you are into not hundreds,
but thousands of years before you could ever run it to exhaustion.
Senator Leahy. Well, let us think of it another way. Suppose you
have got a Clipper Chip the Key Escrow System and everything
else, and somebody double encrypts it, say, using DES. Can you tell
from looking at the cipher, the encrypted text, whether the under-
lying message was encrjrpted?
Admiral McConnell. It would be difficult. If one were to use
103
Senator Leahy. In other words, I am asking you if double
encrypting can defeat Clipper Chip.
Admiral McCONNELL. Yes, sir, it clearly could, but there would
be no advantage to using Clipper and, let us say, DES, for example.
You would just use DES. Assuming that you were a criminal and
the government held the keys, getting through Clipper you would
still have the same level of protection, which is a 56-bit key, a ro-
bust algorithm known as DES.
Senator Leahy. Let me ask you about the family key. Every Clip-
per Chip has the same family key programmed into it, if I under-
stand it correctly. It is used by law enforcement to decode an inter-
cepted serial number or the identifier that is at the beginning of
each encrj^ted conversation.
Now, if somebody got unauthorized access to the chip family key,
can they do anything with that? For example, can they keep track
of communications traffic back and forth between a particular chip?
Admiral McCONNELL. They would be able to read the serial num-
ber on the chip.
Senator LEAHY. Is that about it?
Admiral McCONNELL. Yes, sir, but that is kind of an interesting
question, sir. With your law enforcement background, I am sure
you are aware that if you are conducting a criminal investigation
every phone call — records are kept by the phone company for toll-
ing purposes, so if you are a criminal investigator with a case open,
you just subpoena those records or get the records and they are
made available to you. So there wouldn't be any advantage to — if
I were law enforcement, I sure wouldn't want to break the law to
do something I could get with due course.
Senator Leahy. But they couldn't use it to in any way decode?
Admiral McConnell. No, sir.
Senator Leahy. They would still need the
Admiral McCONNELL. No, sir, and they wouldn't get any more in-
formation than they already get in current activity.
Senator LEAHY. Well, Admiral, unless you want to add something
in open session, we will go over to the bubble.
Admiral McCONNELL. No, sir. Thank you for the opportunity to
comment.
Senator Leahy. Thank you.
[The prepared statement of Admiral J.M. McConnell follows:]
Prepared Statement of Vice Admiral J.M. McConnell
Good morning. I appreciate the opportunity to discuss with you NSA's interests
in and involvement with the Administration's key escrow encirption program and
its decision to encourage the use of the government designed encryption
microcircviits, commonly referred to as CLIPPER chips. These microcircuits, or
chips, provide robust encryption, but also enable law enforcement organizations,
when lawfully authorized, to obtain the key that unlocks the encryption. The Presi-
dent's program advances two seemingly conflicted interests — preserving critical elec-
tronic surveillance capabilities, on the one hand, and providing excellent informa-
tion systems security, on the other. I will discuss the role we played in support of
this program. I will also discuss NSA's interests, both in general and in respect to
the President's program.
NSA's ROLE IN THE PRESIDENT'S INITIATIVE
Our role in support of this initiative can be summed up as "technical advisors"
to the National Institute of Standards and Technology (NIST) and the FBI.
104
As the nation's signals intelligence (SIGINT) authority and cryptographic experts,
NSA has long had a role to advise other government organizations on issues that
relate to the conduct of electronic surveillance or matters affecting the security of
communications systems. Oxir function in the latter category became more active
with the passage of the Computer Security Act of 1987. The Act states that the Na-
tional Bureau of Standards (now NIST) may, where appropriate, draw upon the
technical advice and assistance of NSA. It also provides that NIST must draw upon
computer system technical security guidelines developed by NSA to the extent that
NIST determines that such guidelines are consistent with the requirements for pro-
tecting sensitive information in federal computer systems. These statutory guide-
lines have formed the basis for NSA's involvement with the key escrow program.
Subsequent to the passage of the Computer Security Act, NIST and NSA formally
executed a memorandum of understanding (MOU) that created a Technical Working
Group to faciUtate our interactions. The FBI, though not a signatory to the MOU,
was a frequent participant in our meetings. The FBI realized that they had a do-
mestic law enforcement problem — the use of certain technologies in communications
and computer systems that can prevent effective use of court authorized wiretaps,
a critical weapon in their fight against crime and criminals. In the ensuing discus-
sions, the FBI and NIST sought our technical advice and expertise in cryptography
to develop a technical means to allow for the proliferation of top quality encrjrption
technology while affording law enforcement the capability to access encrypted com-
munications under lawfully authorized conditions.
We undertook a research and development program with the intent of finding a
means to meet NIST's and the FBI's concerns. The program led to the development
of two microcircuits or chips. The first was an all-purpose chip with encryption, pub-
lic key exchange, digital signature, and hashing functions. The second contained the
encryption function only and is intended for use in devices in which digital signa-
ture and hashing are not needed and key exchange is provided by some means out-
side the chip.
Throughout the design and development of the key escrow encryption system, we
placed an emphasis on providing for the protection of users' privacy. We focused on
ways in which we could preserve law enforcement's existing capabilities without un-
dermining privacy rights and protections embodied in current law.
One of the technical solutions to these privacy concerns is the spUt escrowed key.
All chips have been designed to be programed with their own identification number
and a unique key that could be used to unlock the encr3T)tion. Because the chip-
unique keys can be used to unlock the encryption, we also devised a means to spUt
the keys and to keep each part with a different custodian. Neither part is useful
without the other. The parts of each chip's unique key are separately escrowed with
two trusted custodians at the time the chip is programmed. In this way, when law
enforcement officials conduct a court-authorized wiretap and encounter this
encryption, they can identify the chip being used and obtain the corresponding chip-
unique key fi*om the custodians, again using the coxirt authorization. This concept
of splitting the key into two or more parts is a sound secvuity technique which pro-
vides a safeguard against unlawful attempts to obtain keys and illegally access pro-
tected communications. This also provides security against the risk that a single
custodian might lose control of the keys, making the corresponding chips wilnerable
to decryption.
In addition to splitting the key, the system has been designed so that the chip-
unique key components are encrjTJted. Neither the custodians nor law enforcement
officials know even a portion of the unique keys. The unique keys are only decrypted
in a special device used to decrypt communications encr3T)ted with key escrow chips.
These devices are, of course, kept under strict control to ensure they are used only
in connection with authorized wiretaps.
With the key escrow concept, the U.S. is the only country, so far, proposing a tech-
nique that provides its citizens very good privacy protection and maintains the cur-
rent ability of law enforcement agencies to fight crime. Other countries are using
government licensing or other means to restrict the use of encryption. We have gone
to great lengths to provide for both the privacy and law enforcement interests and
I believe we have developed the best technical approach to date. As a result, I be-
lieve the key escrow encryption system actually enhances privacy protections when
you consider that most people currently use no encryption. Widespread use of CLIP-
PER will make it easy for people to take advantage of the benefits that high quality
encryption offers.
105
nsa's interests in the key escrow initiative
While our role in this initiative has been that of technical advisor to^ NIST and
the FBI, we are very interested in the outcome and its impact on NSA's two mis-
sions, information security and foreign signals intelligence.
NSA has a mission to devise security techniques for government communications
and computer systems that process classified information or are involved in certain
military or intelUgence activities. In keeping with the Computer Security Act of
1987, we also make available to NIST the benefits of our security expertise so they
can, as appropriate, use it to promvilgate the security standards appUcable to the
systems under their purview, i.e. federal systems that process sensitive unclassified
information. Through our support of NIST and the promulgation of standards for
federal systems, we advance a goal we all share— assuring that Americans have
available to them the products they need to secure their communications and com-
puter systems.
The NSA Information Systems Security, or INFOSEC, organization is continu-
ously striving to understand the threats to information systems and to devise new
or improved methods to protect against those threats. While most of us only con-
sider the security of our systems when there is a much publicized case of computer
hacking or intercepted cellular calls, NSA's INFOSEC people recognize the threats
are ever present. They possess a unique sensitivity to the nature and the extent of
these threats, and these insights into information system vulnerabilities form the
foundation for building information systems security products. We have appUed this
knowledge and unrivaled cryptographic expertise for over 40 years in designing se-
curity products for U.S. communications and information systems that I can say
with confidence and pride, are second to none.
Key escrow technology advances NSA's INFOSEC interests. For one thing, the
encryption microcircuits provide excellent security, better by far than the Data
Encryption Standard (DES). We will use these chips in products to secure informa-
tion systems for which we are responsible. We are also pleased to see such robust
security available for the voluntary use of all Americans. To the extent that we can
use commercial off-the-shelf products as a basis for securing information systems
under our purview, the cost to all users will decline. Moreover, widespread use of
these products will enhance the interoperability of systems among all users. All of
this is to the good of our INFOSEC interests.
The key escrow initiative was designed to accommodate all of our interests in as-
suring the privacy of our communications and in preserving law enforcement access
to communications when necessary and lawfully authorized. This accommodation re-
flects the Administrations realization of the importance of effectively managing this
technology so as to preserve our electronic surveillance capabilities. Whether it is
law enforcement's wiretap-derived evidence of a crime or intelligence information re-
garding a foreign government, we as a nation use the product of electronic surveil-
lance to assure the national security and the public safety.
From a signals intelligence standpoint, we are only concerned with the use of
encryption by targets of our foreign intelligence efforts. Clearly, the success of NSA's
intelligence mission depends on our continued ability to collect and understand for-
eign communications. Encryption, a technique for scrambhng communications so
that unintended recipients cannot understand their contents, can disrupt our ability
to produce foreign signals intelligence. Controls on encryption exports are important
to maintaining our capabihties.
At the direction of the President in April, 1993, the Administration spent ten
months carefully reviewing its encryption pohcies, with particular attention to those
issues related to export controls on encryption products. The Administration con-
sulted with many industry and private sector representatives and sought their opin-
ions and suggestions on the entire encryption export control poUcy and process. As
a result of this review, the Administration concluded that the current encryption ex-
port controls are in the best interest of the nation and must be maintained, but that
some changes should be made in the export licensing process in order to maximize
the exportability of encryption products and to reduce the regulatory burden on ex-
porters. These changes will greatly ease the licensing process and allow exporters
to more rapidly and easily export their products.
In addition, the Administration agreed at the vu-ging of industry that key escrow
encryption products would be exportable. Our announcement regarding the
exportability of key escrow encryption products has caused some to assert that the
Administration is permitting the export of key escrow products while controlling
competing products in order to force manufacturers to adopt key escrow technology.
"These arguments are without foundation.
106
Many non-key escrow encryption products have long been licensed for export.
Such products will continue to be approved for export notwithstanding the fact that
key escrow encryption products are becoming available. Moreover, we will continue
to review proposed exports of new encryption products and will license them for ex-
port in any case in which the export is consistent with national interests. Finally,
as I mentioned earlier, the Administration is in the process of implementing reforms
of the licensing process to speed licensing and reduce the licensing burdens on
encryption exporters. These reforms will benefit exporters of key escrow and non-
key-escrow encryption alike. In short, we are not using or intending to use export
controls to force vendors to adopt key escrow technology.
CONCLUSION
In sum, I believe the President's initiative is a reasonable response to a very dif-
ficult set of issues. It accommodates users' interests in security and the law enforce-
ment interest to unlock encryption when lawfully authorized. The procedures for
escrowing key are being developed to ensure the security of the devices is not com-
fromised by the escrow system. There are, to be sure, issues to be ironed out, but
am confident we will work out the wrinkles.
I would be pleased to answer any questions you may have.
Senator Leahy. The subcommittee stands adjourned.
[Whereupon, at 12:41 p.m., the subcommittee was adjourned.]
APPENDIX
Additional Submissions for the Record
Prepared Statement of Computer and Business Equipment Manufacturers
Association
SUMMARY
CBEMA represents the leading U.S. providers of information technology products
and services.! Its members had combined sales of $270 billion in 1992, representing
about 4.5% of our nation's gross national product. They employ more than 1 million
people in the United States. CBEMA develops and advocates public poUcies bene-
ficial to the information technology industry in the U.S., participates in all pertinent
standards programs worldwide, and sponsors the U.S. committees developing vol-
untary standards, domestically and internationally, for information technology.
CBEMA initially reacted to the President's key escrow/Skipjack 2 initiative during
hearings in June held by the Computer System Sectuitv and Privacy Advisory
Board to the National Institute of Standards and Technology. The CBEMA state-
ment voiced our industry's concerns about individual privacy, the marketability of
products, both in the U.S. and abroad, the technical difficulties of incorporating kev
escrow/Skipjack into devices, and the cost>'competitiveness problems associated with
key escrow/Skipjack.
This paper further develops several of those issues and offers CBEMA's rec-
ommencfations that will meet both law enforcement and private sector needs in the
U.S. and abroad.^ This document neither endorses nor criticizes the concept of key
escrow. It does, however, examine the realities of a marketplace that has evolved
without a key escrow system and concludes that:
• The negative implications of using key escrow/Skipjack for protecting typical in-
formation technology applications far outweigh the potential benefits.
• The Data Encryption Standard should be recertified.
• An encryption strategy should be developed in a pubhc forum.
• Sponsored research is needed to develop a software embodiment for key escrow.
• Encryption export controls need revision.
INFORMATION TECHNOLOGY HAS BECOME GLOBAL AND NETWORKED
Each year the market for information technology equipment and related products
becomes increasingly global. During the 1970s and early 80s the majority of sales
by U.S. manufacturers was domestic. Today, however, between half and two-thirds
of all sales by U.S. information technology manufacturers are to foreign customers.
1 See appended list of members.
2 "Key escrow" refers to the general concept; for specificity we have used the term "key escrow/
Skipjack" to refer to the technical embodiment currently under discussion.
3 The viewpoint in the paper is that of vendors in a global market seeking to meet their cus-
tomers' needs, including those of the government. Therefore, its focus is on business and eco-
nomic implications, and it expresses no positions on the social, political or legal issues surround-
ing the key escrow/Skipjack proposal.
(107)
108
The globalization of the market for information technology products has paralleled
a revolution in information technology use that has fundamentally changed the then
existing modes of operation. In the 1970s and early 80s most businesses imple-
mented large main frame computer complexes that served employees at the site or
remote terminals connected to a single computer system. Because few of these com-
puter systems were connected with other computer systems, most seciuity measures
were directed at the computer site.
Today, however, interconnected computers are the norm. Digital networks — such
as electronic mail systems, Internet, and digital telephone system — increasingly are
reUed upon for routine as well as sensitive communications, and security is required
for those interconnections and for the personal computers being interconnected to
those networks. Continuing rapid development of information technology products
depends heavily upon wireless technology, and security will be required for commu-
nications among these products as well.
For the ftitiu-e we must develop processes that will support successful develop-
ment of a National Information Infrastructure (which will in reality be global). In
this development major concern is already focused on how to safeguard information
on the network.
ENCRYPTION HAS BECOME A CRITICAL COMPONENT OF INFORMATION SECURITY
During the evolution of information processing, encryption also gained signifi-
cance. Although some vendors implemented their own versions of encryption, the
Data Encryption Standard (DES) and public key algorithms (such as RSA) became
the leading cryptographic techniques. DES is an American National Standard as
well as a Federal Information Processing Standard (FIPS). Today a large installed
base of devices and systems rely on DES and RSA. The banking industry, for exam-
Ele, has its standards for interbank operations such as funds transfer based on the
lES. Encrvption based on the DES standard also is used increasingly in over-the-
counter software products and as an element of larger hardware and software solu-
tions.
In the 1980s customers demanded that vendors provide products which would op-
erate with one another. A major response to this demand was creation of the Inter-
national Organization for Standardization/International Electrotechnical Commis-
sion (ISO/IEC) Open Systems Interconnection (OSI) architecture, which provides se-
curity services including encryption among its specifications. In another response,
some vendors formed the Open Software Foundation (OSF) to help standardize im-
plementation of fundamental software tools across platforms such as the UNIX oper-
ating system. OSF has announced a set of network software products implementing
the distributed computing environment (DCE) which uses the DES algorithm for
purposes of authentication, data confidentialitv and integrity, and network access
control. The Internet Society utiUzes both DES and RSA to provide its Privacy En-
hanced Mail (PEM) facility. This technique is very close to that utilized in the X.400
messaging recommendation and supported by the ISO/IEC OSI Directory standard.
The American National Standards Institute (ANSI) standards committee for bank-
ing, X9, has also recently adopted these techniques. In short, the infrastructure to
support security services for business needs, e.g., electronic data interchange of
transaction documents, health care automation and so on, is rapidly being deployed.
A key factor in the acceptance of DES and RSA is the confidence in their cryp-
tographic strength and overall integrity that has developed over years of public
scrutiny.
Demand for encryption is expected to increase more rapidly as techniques become
more simplified. In the past, utilization of encryption was a deeply considered deci-
sion made by user management, since employing it imposed significant costs, espe-
cially those of key management. But simpler key management techniques have been
developed that maintain a high level of security. One approach, for example, in-
volves using a public key technique to deUver the DES key and DES to encrypt the
contents for confidentiality. As an example of another approach, the DCE noted
above generates session keys and manages the keys with total transparency to the
user. A result of this simphfication has been the rapid evolution to using encryption
for applications in the commercial marketplace, because encryption services may be
included in typical information technology appUcations at a much lower cost.
Whole new classes of application and product have been developed which incor-
porate encryption in the product design. One example is automated teller products.
In such systems the customer is assiu-ed of security without having to think about
how this is achieved. Other examples of this product-design-encryption trend are
non-repudiation and digital signature services in electronic data interchange and
privacy enhanced mail on the Internet These newest developments indicate that
109
encryption will become more, rather than less, prevalent in the future — both in or-
ganizationally controlled environments and in stranger-to-stranger operation.
DESIGN & INTEROPERABILITY CONSIDERATIONS REQUIRE FLEXIBLE ENCRYPTION,
AVAILABLE IN BOTH HARDWARE AND SOFTWARE
The importance of computer secvirity has dramatically increased due to wide-
spread deployment of distributed processing, open network highways, and greater
interoperation of computing platforms from many vendors. To beet this challenge,
the computer industry requires consistent cryptographic standards for algorithms,
procedures and applications. It also requires vendor access to information regarding
algorithms for freedom of implementation in various technologies and products. This
access and the resulting flexibility of implementation are largely responsible for the
success of DES and public key encryption. As a result of this evolution interested
vendors have negotiated licenses for the use of RSA. DES licenses are available roy-
alty free.
Other design and cost issues emerge when the application of key escrow/Skipjack
to wireless technologies is examined. Experience to date with cordless and cellular
phones shows that their vulnerability to being overheard is a significant weakness.
The cutting edge of information technology products, both personal and for the of-
fice, rely on wireless technology. Thus, many organizational customers will demand
encryption capability to maintain the confidentiality required for their operations.
The vendor's margins for these devices are expected to be slim, due to fierce com-
Sietition and savvy, cost-conscious customers. Tnus a premium will continue to exist
or flexibility in implementation and low cost.
Current rules-of-thumb put the final price of a component at four times its cost
to the manufacturer. Therefore the cost of key escrow/Skipjack (currently estimated
at $25) and its support circuitry could significantly raise a product's price compared
to the price of the same product without this encrjrption capability. It is apparent
that a hardware encryption method such as key escrow/Skipjack is a costly alter-
native to software embedded encryption, even with royalties.
For portable and personal devices there will be an additional issue raised by the
size and power requirements of the physical embodiment. The limiting performance
factor for such devices is battery life. Key escrow/Skipjack, then, must be designed
to cause a very low power drain. Combining this with the restricted physical space
available, an attractive design approach would be to use software encryption, since
the designers typically seek to minimize the number of chips in the device.
The requirements of hardware/software implementations and interoperability are
two vital requirements that are not met by key escrow/Skipjack. In summary, the
classified nature of the Skipjack algorithm creates the following problems for indus-
try:
1. Selection of a new, classified, unpublished algorithm for domestic commercial
usage is counter to the need for broad interoperability and management of cryp-
tography that is required by the customer.
2. The choice of classified technology for commercial appUcations restricts the indus-
try's ability to effectively and efficiently meet market needs. Since detedls are un-
known to product developers, it is impossible to implement that capability by em-
bedding it in systems products. With a single classified key escrow/Skipjack imple-
mentation, this function cannot be effective in a broad range of products requiring
cryptographic capability. Whereas published algorithms have been effectively en-
gineered into products that range from a smart card" to a mainframe, they do not
rely on a single technological implementation.
3. Because the Skipjack algorithm is classified, software implementations are ex-
cluded. In some cases encryption, while needing to be secure, does not need to be
fast. In this environment a software implementation might be the wisest, least ex-
pensive solution.
4. In certain applications there is a requirement to selectively apply encryption to
data. For example, in supporting electronic mail the address on the "envelope"
must be in the clear, even though the "letter" is encrypted. This will be difficult
to implement without customizing the encryption service. Since Skipjack is classi-
fied and isolated on a chip, such customization is difficult at best.
THE CONDITIONS DO NOT EXIST FOR MANDATORY IMPLEMENTATION OF KEY ESCROW/
SKIPJACK
Implementation of key escrow/Skipjack as a standard for data in the U.S.,
through extensive government procurement, would increase costs to the Government
110
by the need to design security products for which there is very limited overseas de-
mand. Specifically, the U.S. Government's guaranteed access to communications
made with products that incorporate key escrow/Skipjack will make the products ei-
ther unacceptable or highly undesirable for most non-U.S. customers. Other tech-
niques (e.g., DES) will therefore continue to be used, even though they are subject
to restrictive U.S. export controls. The resulting fragmentation of the market will
provide an advantage to overseas producers, who will continue to market DES-based
and other security products both in the U.S. and abroad.
The DES standard will continue to be used worldwide regardless of volume pur-
chasing by the U.S. Government. The DES standard is already widely used in the
banking industry, for commercial applications within the U.S., and by governments
outside the U.S. Implementations are available in both hardware and softwsire; in-
vestment in the installed base of DES applications is considerable. Consequently,
U.S. firms will continue to be solicited to provide data encryption products based
on DES. Some users stand to be disadvantaged commercially by implementation of
key escrow/Skipjack. In the banking industry, for example, systems would have to
be designed to this standard for communication with government agencies (e.g., the
Federal Reserve); however, institutions will have to continue to maintain data com-
munications based on both standards to serve non-U.S. financial institutions and in-
stitutions tiiat do not communicate with the Federal Government.
Key escrow/Skipjack is not compatible with implementations worldwide. Since
customers demand that devices interoperate with tiie installed base to protect the
investment they have made in hardware, software and administration of their sys-
tems, they will be unlikely to accept devices implementing key escrow/Skipjack be-
cause they lack the interoperability they need.
INDEPENDENT OF KEY ESCROW/SKIPJACK, EXPORT CONTROLS ON ENCRYPTION
SOFTWARE AND HARDWARE MUST BE RATIONALIZED
Although the Administration's key escrow/Skipjack proposal does not specifically
state the export control policy to be applied to this tecnnology, no discussion of
encryption can omit the export control igsue.
The U.S. controls all encryption products for export. Data encryption "* is con-
trolled as a military item by the Department of State. As a matter of poUcy, a vir-
tual embargo is in place for all exports of products containing data encryption to
commercial customers other than banks, even to end-users located in countries that
are America's closest alUes. This policy disregards the legitimate commercial need
for strong encryption capability.
Despite the fact that many types of software products containing encrjrption, par-
ticularly those in the public domain and those that are sold on a mass-market basis,
are beyond effective control, and also the fact that many overseas vendors are now
offering strong encryption, the U.S. has made no significant change in its approach
to controlling these products. As a result, U.S. companies experience a loss in poten-
tial sales and increased corporate security risk with no commensurate benefit in
terms of national security.
Key escrow/Skipjack does not "cure" the fundamental problems of U.S. export con-
trols on encryption. As the key escrow concept underlying the approach is designed
to ensure access by the U.S. Government, products based on it will be either unac-
ceptable or highly undesirable for most overseas customers-even in the absence of
export controls. Thus export controls on this device are not needed or desirable.
In the study of export control issues, CBEMA and its members have received re-
quests to provide the "facts" proving current controls impose a serious reduction in
U.S. company competitiveness. Our consensus analysis of the issue for the future
is contained in this paper. Our consensus comments about the past are in our state-
ment for the June 2 MST hearings. Ovu- members individually nave agreed to make
available company proprietary information under appropriate arrangements to en-
sure confidentiality.
CBEMA RECOMMENDATIONS
This paper has examined the design, interoperability, cost, potential customer ac-
ceptance and export control problems that are obstacles to the widespread use and
acceptance of key escrow/Skipjack. Yet CBEMA members are well aware of the con-
cerns of the U.S. government that led to the development of key escrow/Skipjack.
In an attempt to balance those concerns with the realities of the marketplace,
■*We use the term "data encryption" to include all forms of controlled encryption for confiden-
tiality. This term includes "file encryption."
Ill
CBEMA offers the following recommendations regarding the key escrow/Skipjack
proposal.
1. CBEMA members have had much discussion regarding the implications of key
escrow/Skipjack to the future of the information and telecommunications indus-
tries. It is predicted that much of the previous separate technology of voice, fax
and data will converge. Current and future multimedia personal workstations are
examples of this convergence. In this environment the workstation will serve as
a voice answering machine, take voice dictation, fax information from a fax
modem and have the ability to store, manipulate and send images. Indeed, the
confusion on the possible scope of key escrow/Skipjack was emphasized in the
draft Federal Information Processing Standard (FIPS) regarding escrowed
encryption (EES). This draft contained an unusual description of the scope by de-
fining the word "data" as to include voice, fax, and computer information sent
across telephone lines.
Before the merger of these technologies, it was appropriate to look at each ap-
plication and build hardware and software satisfying that specific application. Be-
cause of this former approach, there is limited imbedded investment within gov-
ernment and industry in telephone and telephony products used in encrypting un-
classified voice communications. It would therefore seem that financial and oper-
ational dislocation problems would be minimized if the use of key escrow/Skipjack
were restricted to these traditional appUcations and its use were to remain vol-
untary.
However, employing key escrow/Skipjack even to secure traditional telephony
applications cpn be expected to create undesirable product design and market
ramifications for computer and software industries due to the previously men-
tioned convergence of these technologies. It seems inappropriate that the govern-
ment would continue to view these as separate and distinct appUcation sireas
when the rest of private industry is enjoying the benefits ftx>m an integrated ap-
proach. There is tne possibility that key escrow/Skipjack could conceivably satisfy
the need for encryption in government and commercial traditional telephony ap-
plications if the resulting devices could accommodate the space, cost, through put
and power constraints that are imposed by the key escrow/Skipjack devices. Such
investments should be made with the knowledge that successful completion of
Recommendations two through four could obsolete that investment.
2. Key escrow/Skipjack, given present limitations, is unsuitable for applications in
which there is an embedded oase of DES or similar capabiUty, particularly of the
software variety. Therefore CBEMA recommends that DES be recertified as a fed-
eral standau-d tor data communications for an additional five years. During these
five years, government should collaborate with industry to achieve a mutually ac-
ceptable encryption standards strategy, appUcable to all communications, i.e.,
voice and data, and narrow and broad band communications. Both DES and pub-
lic key encryption should be considered in this effort, including the possible appli-
cation of the concept of key escrow to these technologies.
3. Develop an encryption strategy in a public standards forum, i.e., the American
National Standards Institute Accredited Standards Committee on Information
Processing Systems, X3, in the U.S., and then the International O^anization for
Standardization/International Electrotechnical Commission Joint Committee on
Information Technology, JTC-1, internationally, with the objective of achieving
one or more encryption standards capable of meeting the requirements and ac-
ceptable to all users. CBEMA strongly recommends that all relevant issues, in-
cluding international acceptance, be considered with the specific objective of
agreeing on one or more international standards to satisfy the public need for
encryption for information transfer of every kind in various environments.
4. The government has requested industry's assistance to develop a software embod-
iment of Key Escrow/Skipjack. The government should issue a request for pro-
posal through an agency, e.g., the Advanced Research Projects Agency, for pursuit
of a software implementation of a strong encryption facility to be accomplished
without compromising the facility's nature.
5. In view of me widespread availabiUty of encryption products worldwide and the
legitimate commercial need for encryption products, CBEMA urges that the fol-
lowing improvements be made with regard to export controls on encryption. These
improvements will more closely align the U.S. with COCOM poHcies and will also
enable U.S. companies to compete internationally:
• Software that is pubUcly available or mass market (per the internationally ac-
cepted COCOM definition) should be decontrolled except for shipment to terror-
ist and embargoed countries.
112
• Hardware implementations of decontrolled software should be similarly decon-
trolled.
• Dual-use encryption (not specifically designed for military applications) should
be controlled under the Export Administration Act and be subject to Depart-
ment of Commerce jurisdiction, not controlled under the ITAR.
• Encryption functionality cvirrently under Commerce Department jurisdiction
and controlled under national discretion procedures should be decontrolled.
• In view of the fact that overseas demand for key escrow/Skipjack will not pose
any danger to the United States, enciyption functionality provided by key es-
crow/Skipjack should not be controlled for export.
Prepared STATEMEhrr of the United States Council for International
Business
The U.S. Council for International Business is pleased to submit its views on
encryption and Clipper.
Introduction
The U.S. Council represents American business positions in the major inter-
national economic institutions, and before the Executive and Legislative branches
of the U.S. Government. As the U.S. member of the International Chamber of Com-
merce (ICC), the Business and Industry Advisory Committee (BIAC) to the OECD,
and the International Organization oi Employers (lOE), the U.S. Council is the
American business group that officially consiilts with the key intergovernmental
bodies influencing international business. Its primary objective is to promote an
open system of world trade, finance, and investment.
The Need for an International Encryption Policy
The U.S. needs a comprehensive encryption poUcy that provides security for com-
munications. Such an encryption policy should preserve the right of privacy for busi-
ness and individuals in voice and digital communications transmissions. At the
same time, we recognize the government's legitimate interest in accessing telephone
communications for law enforcement and national security reasons. We therefore
support the U.S. Administration's directive to Government agencies to develop a
comprehensive encryption policy, as announced one year ago on April 16, 1993.
An encrjrption policy, however, is not solely a domestic issue. 'The presence of an
internationally accepted encryption policy is essential, as companies operate in a
global marketplace. International businesses are demanding seamless webs of com-
munications networks whereby information can flow in a free and secure manner.
Today secure communications are critical to intra- and inter-corporate communica-
tions and transactions, as hackers, criminals and unauthorized parties find increas-
ingly sophisticated tools to violate the privacy and security of communications sys-
tems. Companies need effective, internationally accepted cryptographic standards
for secure communications and digital signatures to conduct their operations. Al-
though highly technical in nature, such standards could have a profound effect upon
the competitiveness of U.S. manufacturers and users of products with encryption
features.
"Clipper"
The Executive Branch's announcement in April 1993 of its encryption initiatives
raised great concern among U.S. businesses. Since these initiatives (Clipper and
Capstone) do not employ internationally accepted standard technologies and edgo-
rithms, business will be forced to employ dual systems in order to ensure secure
communications on a global scale. Implementation of these initiatives will represent
significant cost to American industry in equipment, software, and other resources.
The U.S. Council's concerns over the Administration's initiatives were expressed
in a December 16, 1993 letter to Secretary of Commerce Ronald H. Brown and a
March 3, 1994 letter to Vice President Albert Gk)re. In our letter to Vice President
Gore, we said that despite the overwhelming negative public response, the Clipper
initiative was still being advanced. Recently, there have been presentations given
and press coverage on a new encryption initiative known as Tessera which imple-
ments the Capstone chip. Since Tessera has the same fundamental attributes as
Clipper, our concerns, as explained below, also apply to Tessera.
113
As a voice of business, representing large users and vendors of encryption sys-
tems, the U.S. Council would like to concentrate its comments on Clipper on three
issues of great concern to its members:
(1) competitiveness,
(2) cost to users, and
(3) UabiUty.
1. COMPETITIVENESS
To be competitive in the global marketplace, U.S. companies must be able to sell
and integrate into their products, systems that are freely exportable and desirable
to users worldwide. Multmationals need secure communications so they can interact
not only with their offices but also their suppUers and customers worldwide. For ex-
ample, in order for financial institutions to be competitive they must use encna)tion
systems, for banking and non-banking applications, that are acceptable worldwide
so thev can communicate with other financial institutions and their customers
around the world. The competitiveness of U.S. companies can be approached from
two separate, yet interrelated aspects:
(a) Foreign desirabiUty for chip devices, and
(b) Current export restrictions.
a. Foreign desirability of the key escrow chip
It is unlikely that foreign buyers, especially foreign governments, will want a sys-
tem developed by the U.S. Government, whereby the U.S. Government holds, or has
access to, the keys. Foreign import controls and regulatory requirements for
encryption systems present yet another impediment to the foreign sales of CUpper.
While there are few obstacles to sales of U.S. encryption products in most foreign
countries, some countries require ftiU disclosure of the algorithm or demand that the
manufacturers or users deposit the key with the proper authorities. Clipper contains
a classified algorithm so it cannot be registered in countries that require disclosure
of the algorithm. As the U.S. Government is the holder of, or has access to, the key,
a user of CUpper could not deposit the key and it is not known whether the Govern-
ment will comply with this requirement. Therefore, it seems unlikely that Clipper
could be sold in countries that have such requirements.
b. Current export controls
The competitiveness of U.S. companies has suffered long enough under current ex-
port control restrictions. DES and RSA use algorithms that are unclassified, widely
available around the world, internationally-accepted, implementable in hardware
and software, and, most importantly, secure for communications. These encryption
systems have been under, and are continually subject to, pubUc scrutiny. As such
they have stood the test of time; there have not been any proven successful attempts
to break DES or RSA. By protecting economic interests, DES and RSA enhance na-
tional security.
Although DES and RSA are widely available and used around the world, they are
subject to export control restrictions. Non-U.S. vendors produce and sell these sys-
tems in foreign countries where U.S. companies are prohibited from selling because
of U.S. export controls. Other encryption systems, based on less powerful algorithms
(RC2 and RC4), can be exported on a fast-track export licensing approval process.
These weaker systems, however, are less desirable to users of encryption systems.
Multinational corporations need to communicate, in a seciire manner, with their
vendors and customers around the world and should not be prohibited from using
the most secure system available. These weaker systems are also less appealing in
the international market because foreigners can produce and use the more powerful
DES and RSA systems. Moreover, because many foreigners are not subject to the
strict export controls that exist in the U.S., non-U.S. manufacturers can sell within
their own country and to other countries, where U.S. companies cannot compete.
Our competitiveness will only worsen if existing restrictions continue while foreign
capabihty to provide and use powerful encryption systems increases. The logic be-
hind continuing such strict controls on certain U.S. exports, which have wide foreign
availability, seems flawed and therefore such controls should be aboUshed.
2. COSTS TO USERS
There are also substantial operational and administrative costs associated with
CUpper. Since Clipper does not interoperate with other encryption systems such as
DES, RSA, RC2, and RC4, users will face an additional cost of acquiring the device
114
that contains the Clipper chip. Although the chip itself is relatively inexpensive (ap-
proximately $25 per chip), the cost of implementing it into existing communications
systems, or in addition to current systems, will be substantial. The cost to buy the
device that contains the Clipper chip will be many times more than the chip itself
Given the substantial investment already made in the installed base of DES and
RSA products, the cost to buy additional and different devices is large. Moreover,
this is an additional cost that many businesses will essentially be forced to absorb.
Corporations that communicate with U.S. Government agencies that use Clipper
will also have to use Clipper and thus absorb the costs.
The administrative costs, such as key management^ to support differing
encryption systems are also substantial. When kev management is implemented for
only one encryption system, the cost can be held to a minimum. If users need to
implement several key management operations, supporting different encryption sys-
tems, the costs will be significant.
3. LIABIUTY
Lastly, the U.S. Council is very concerned about the issue of liability. Since Clip-
per is a hardware-based device through which information is encrypted, a com-
promise of the key will destroy the security of the system and all data contained
therein. It is unclear how a company would know if the key has been compromised,
who is liable, and who should bear the cost of replacement. Moreover, the con-
sequential damages resulting from a breach in seciuity might be tremendous and
possibly unrecoverable. In DES and RSA systems, the user selects his own key;
therefore, the keys are not susceptible to being compromised beyond the user's own
control. In the case of Clipper, tne main keys are assigned during manufacturing,
are not changeable by the user and are escrowed with designated agencies. Even
though the Gk)vemment is responsible for developing and holding, or having access
to, the keys, it has stated that it would not be liable for any compromise of the keys.
Recommendations
Any encryption policy should be based on an algorithm that is unclassified,
implementable in hardware and software, and useable in interconnected networks
that are defined by toda3r's global economy. The preferred approach is to use algo-
rithms that are standards (i.e., DES and RSA) and which can be used for digital
signature, message authentication, encryption, and key management where the key
management system is controlled by ite user. Moreover, the encryption system
should neither be subject to export control restrictions nor incompatible with exist-
ing encryption systems used worldwide. The U.S. Government and the private sec-
tor should work together in an open forum to develop an acceptable encryption pol-
icy. Our efforts should be coordinated with foreign governments, international insti-
tutions, and the international business community to develop a global encryption
policy.
Crypto Poucy Perspectives
by Susan Landau, Stephen Kent, Clint Brooks, Scott Chamey, Dorothy Denning,
Whitfield Diffie, Anthony Lauck, Douglas Miller, Peter Neumann, and David Sobel
On April 16, 1993, the White House armounced the Escrowed Encryption Initia-
tive, "a voluntary program to improve security and privacy of telephone communica-
tions while meeting the legitimate needs of law enforcement." The initiative in-
cluded a chip for encryption (Clipper), to be incorporated into telecommunications
eqviipment, and a scheme under which secret encryption keys are escrowed with the
government; keys will be available to law enforcement officers with legal authoriza-
tion. The National Security Agency (NSA) designed the system and the underlying
cryptographic algorithm SKIPJACK, which is classified. Despite substantial nega-
tive comment, ten months later the National Institute of Standards and Technology
approved the Escrowed Encryption Standard (EES) as a voluntary Federal standard
for encryption of voice, fax, and computer information transmitted over circuit-
switched telephone systems.
Underlying the debate on EES are significant issues of conflicting pubUc needs. ^
Every day, millions of people use telephones, fax machines, and computer networks
^EES is primarily for use with telephones and fax machines, but this report also addresses
the expected extension of escrowed encryption to a broader context than the present Federal
standard.
115
for interactions that used to be the province of written exchanges or face-to-face
meetings. Private citizens may want to protect their communications from electronic
eavesi-oppers. Law enforcement seeks continued access to criminals' communica-
tions (under legal authorization). In order to compete in the global marketplace,
U.S. manufacturers want to include strong cryptography in their products. Yet na-
tional-security interests dictate continued access to foreign intelligence. Both the
EES and the controversy surrounding it are but the latest and most visible develop-
ments of a conflict inherent in the Information Age. Electronic communication is
now an unavoidable component of modem life.
Many times a day people transmit sensitive data over insecure channels: reciting
credit card numbers over cellular phones (scanners are ubiquitous), having private
exchanges over E-mail (Internet systems are frequently penetrated), charging calls
from airports and hotel lobbies (our Personal Identification Numbers (PINs) are eas-
ily captured). The problem is magnified at the corporate level. For several years in
the mneteen-seventies, IBM executives conducted thousands of phone conversations
about business on the company's private microwave network — and those conversa-
tions were systematically eavesdropped upon by Soviet Intelligence agents.
IBM's situation is not unique. Weak links exist throughout electronic communica-
tions, in networks and in distributed computer systems. Often the vulnerability of
communications allows system penetration. Computer systems can be a weak link.
Deceptive communications can easily undermine users' confidence in a system. For
example, a group of students at the University of Wisconsin forged an E-mail letter
of resignation from the Director of Housing to the Chancellor of the University.
There can be denials of service because of altered or jammed communications; "video
pirates" have disrupted satellite television programs a number of times.
Over the past five years thousands of mainframe computers have been replaced
by networked distributed computing systems. This process is accelerating, and that
change will only increase the importance of secvu-e electronic communications. The
National Information Infrastructiu-e (Nil), the "information superhighway", wiU
have an even greater effect. Businesses will teleconnect with customers to sell and
bill. Manufacturers will electronically query suppliers to check product availability.
Insurance companies, doctors and medical centers will carry on electronic exchanges
about patient treatment. The emerging technologies of the Information Age are rev-
olutionizing the ways in which people exchange information and transact business.
Much of the information being sent on the Nil will be sensitive. Protecting confiden-
tiality, authenticity and integrity in the information infrastructure is extremely im-
portant to economic stability and nationad security.
How can communications security be achieved? A very important part of the solu-
tion is cryptography. Cryptography was once the domain of generals and small chil-
dren, but the advent of the Information Age has sharply increased the public's need
for it. Cryptography can help prevent penetration from the outside. It can protect
the privacy of users of the system so that only authorized participants can com-
prehend communications. It can ensure integrity of communications. It can increase
assurance that received messages are genuine.
Confidentiality, the benefit most oft«n associated with cryptography, is obtained
by transforming (encrypting) data so that it is unintelligible by anyone except the
intended recipient. Integrity is a security service that permits a user to detect if
data has been tampered with during transmission or while in storage. Closely relat-
ed to integrity is authenticity, whicn provides a user with a means of verifying the
identity of the sender of a message.
Over the last twenty years several strong cryptographic algorithms^ have
emerged, including the Data Encryption Standard, or UES, and the public kev algo-
rithms, Diffie-Hellman and RSA. DES is coming to the end of its useful Ufe with
its key size and complexity being overtaken by improvements in speed and cost of
computers. Because strong cryptography for confidentiality purposes has the poten-
tial to interfere with foreign intelligence gathering, the U.S. government generally
does not permit the export of strong cryptography for confidentiality purposes.
Strong cryptography can also impede electronic surveillance by law enforcement. Yet
the U.S. private sector, from bankers to the future users of the Nil, needs strong
cryptography.
CRYPTOGRAPHIC ALGORITHMS
The Escrowed Encryption Standard (EES) was proposed as a solution to these
conflicting problems, by making available strong cryptography while providing a
2 Strong cryptographic algorithms are ones which are exceedingly difficult to break by attacks
including exhaustive search over the entire key space.
116
mechanism through which law enforcement could access encrjrpted communications.
But EES raises problems of its own: '
(i) Many are uncomfortable with a cnmtographic scheme in which the pri-
vate keys of users are available to the u!S. government,
(ii) Many distrust a scheme where an algorithm for pubUc use is classi-
fied,
(iii) Foreign buyers may be unwilling to purchase products that imple-
ment the EES, and
(iv) The algorithm is available only in hardware form, increasing costs
and decreasing flexibility.
In 1975, the United States proposed DES for the protection of "sensitive but un-
classified information" by government agencies. DES, which was designed by IBM,
and adopted as a Federal Information Processing Standard (FIPS) in 1977 (in the
same series that now includes the EES). It is a private or single-key system and
the key used to protect communications between two parties must be known to both
parties and kept secret from everyone else.
At the time DES was proposed, it enjoyed a period of controversy in which its
keys were characterized as too small and other weaknesses were suspected. Despite
this, DES has proven remarkably resistant to public attacks.
At about the same time, academic researchers developed a family of cryptographic
techniques that became known as pubhc-key or two-key cryptography. One ap-
K roach, proposed by Ralph Merkle at Berkeley and refined by Whitfield Diffie and
lartin Hemnan at Stanford allowed two parties to negotiate a common secret piece
of information over an insecure channel. Another, proposed by Diffie and Hellman
and realized by Ron Rivest, Adi Shamir, and Leonard Adleman of MIT, made it pos-
sible to use a key that was not secret (a public key) to encrypt a message that could
only be decrypted by a particular secret key. Conversely, a message transformed by
a secret key could be verified as coming from the sender by applying the sender's
pubUc key. This second use of pubUc-key technology came to be called a digital sig-
nature.
By 1991, the RSA system, which is based on the notion that factoring integers
is computationally much more difficult than multiplsdng them, had become the de-
facto standard for digital signatures. The list of licensees of RSA digital signature
technology^ read Uke a computer industry roll-call: Apple, AT&T, DEC, IBM, Lotus,
Microsoft, Northern Telecom, Novell, Sun, WordPerfect.
RSA and DES provide the U.S. commercial sector with techniques for achieving
confidentiality, integrity and authenticity; for example. Privacy Enhanced Mail
(PEM), an Internet standard for secure E-mail, combines them to achieve security.
However, with the exception of exporting DES for use by financial institutions or
foreign offices of U.S.-controUed companies, the State Department typically refiises
export hcense for confidentiality systems employing the algorithm. Despite this,
DES is beheved to be the most widely used ciyptosystem in the world, except per-
haps scramblers used for pay-television. In the United States, the American Bank-
ing Association recommends DES whenever cryptography is needed to protect finan-
ciS data. DES is the cryptographic scheme most often used in commercially avail-
able secure telephones.
The export system presents a problem for U.S. industry, all the more so since
DES is widely available outside the United States. A March 1994 study by the Soft;-
ware Publishers Association lists thirty-three foreign countries with 152 cryptog-
raphy-based products using DES.
EMBEDDING CRYPTOGRAPHY
A brief look at communication systems explains the importance of cryptography
in achieving security. Telephony is an excellent example. The only way to provide
a secure voice path between two telephones at arbitrary locations is to encrypt the
words spoken into one and decrypt tnem as they come out of the other. Public-key
cryptography makes it possible ior the two phones to agree on a common key known
only to them without the mediation of a trusted third party. The users simply estab-
lish the call, push a button, and wait a few seconds for the phones to make the ar-
rangements.
In the simplest systems, the users must rely on voice recognition to assure au-
thenticity, just as with unsecured phone calls. If the system must provide authen-
tication to users who do not know one another, some central administration is re-
3 RSA is patented in the U.S.
117
quired to issue cryptographic credentials by which each phone can recognize the
other. I.- J
Currently, secure telephones are expensive. In addition to the cryptographic de-
vices, a seoire phone must include a voice digitizer to convert speech to a form in
which it can be encrypted and a modem to encode the digitized signal for trans-
mission over the phone Une. As a result, the least expensive secure phones cost over
a thousand dollars apiece.
Securing communications for computers in a distributed system presents different
problems. There is no analogue of voice recognition. If authentication is to be avail-
able, it must be done by formal cryptographic procedures. This requires the comput-
ers to identify people or machines through long-term keys. The relationship between
telephones, even secure telephones, is conceptually simple: they set up calls and
transmit sound. The relationship between computers in a distributed system is con-
siderably more complex: machines routinely share files and execute programs for
each other. These wedded interactions compUcate the process of protection and
make computer break-ins difficult to prevent.
Systems owners are typically unwilling to make substantial investments in hard-
ware or software for security purposes, although they may be willing to pay some
premium for products that contain integrated security features. Many vendors see
software as the least expensive means of adding cryptographic security features to
their products.
A secure mail system like PEM is the workstation analogue of a secure telephone;
it encrypts and decrypts mail so the user can correspond privately. Unfortunately,
a software implementation of PEM is vulnerable to penetration of the program in-
cluding the compromise of its long term keys. One of the ways in which such pene-
trations occur is through the implanting of modified programs or other data into the
user's working environment. Without trustworthiness, cryptography embedded in an
appUcation or in the operating system is no panacea.
LAW ENFORCEMENT
Technology causes a constant rearrangement in the relationship between the
criminal and the law. The advent of telecommunications enabled criminals to exe-
cute their plans more covertly. Once law enforcement learned how to listen in, offi-
cials could do so without placing themselves in danger. Wiretapping is a tool that
diminishes the value of communications to criminals cryptography potentially
counters this.
Current wiretap law dates from the 1968 Omnibus Crime Control and Safe
Streets Act; Title III of the Act established the basic law governing interceptions in
criminal investigations. In 1978 the Foreign InteUigence Surveillance Act estab-
lished the national-security counterpart to Title III, authorizing electronic surveil-
lance for foreign intelligence.
Title III requires a court order for the installation of a wiretap (as do most FISA
intercepts). For Title III orders there must be probable cause to believe that the tar-
geted communications device — whether phone, fax, or computer — is being used to fa-
cilitate a crime, which must be one of those enumerated by the law. Thirty-seven
states also have statutes authorizing wiretaps; by law, the state requirements must
be at least as restrictive as the Federal statute.
Since 1968, when Title III was passed, there have been approximately nine hun-
dred Federal and state wiretaps annually. In data released by the Administrative
Office of the U.S. Courts, between 1968 and 1992, the average annual number of
incriminating conversations intercepted has remained between two and four hun-
dred thousand. In 1992, the average cost of installing a wiretap and subsequently
monitoring it was $46,492.
The law enforcement community views wiretaps as essential. Such surveillance
not only provides information not obtainable by other means, it also yields evidence
that is considered extremely reliable and probative. According to the FBI, organized
crime has had severe setbacks due to the use of wiretap surveillance. The FBI be-
lieves the tool is critical for drug cases. Wiretapping is an important investigative
technique in cases of governmental corruption and acts of terrorism.
The importance of wiretap surveillance was the reason for the Digital Telephony
Proposal, which was developed by the FBI and submitted to Congress in 1992. To
ensure that the government's abiUty to intercept communications is not curtailed by
the introduction of advanced digital switching technology, this proposal requires
providers of electronic communication services to design their switches accordingly.
Major members of the computer and communications industries, including AT&T,
Digital, Lotus, Microsoft and Sun, strongly opposed the proposal, and there were no
118
Congressional sponsors. A revised proposal was recently submitted for consider-
ation.
The Digital Telephony Proposal concerns access to communications, but law en-
forcement is also concerned about its ability to understand those communications
after interception. Off-the-shelf encryption technology may be an easy way for
lawbreakers to foil criminal investigative work. Members of the law-enforcement
community view EES as a solution that provides the public with strong cryptog-
raphy while not compromising investigators' ability to comprehend legally inter-
cepted communications.
NATIONAL SECURITY
Foreign access to cryptography of even moderate strength poses a problem for
U.S. intelligence. Those who think about vulnerabilities from the viewpoint of secu-
rity typically regard strong encr3rption of each message as the only barrier to com-
munications intelligence. However, a message cannot be analyzed until it has been
located. Locating u\e traffic of interest is as important a problem as any. Even
encryption tihat is too weak to resist concerted attack can multiply the cost of
targeting traffic several-fold.
The growth of communications intelligence in this century has been accompanied
by a similar growth in techniques for protecting communications, particularly crjrp-
tography. Nonetheless the communications intelligence product is now better than
ever. In the recent past, there has been migration of communications from more se-
cure media such as wirelines or physical shipment to microwave and satellite chan-
nels; this migration has far outstripped the appUcation of any protective measures.
But while the United States may be the greatest beneficiary of communications
intelligence in the world today, it is also its greatest potential prey. The protection
of American communications against both interception and disruption is vital to the
security of the country.
When DES was adopted as a government standard in 1977, cryptographic protec-
tion of substantial quality became available in both hardware and soft-ware pack-
ages. With hindsight, some in the intelligence community might consider the pubUc
disclosure of the DES algorithm to have been a serious error. DES-based equipment
became available throughout the world; cryptographic principles revealed by study-
ing the algorithm inspired new cryptographic designs; and DES provided a training
ground for a generation of public cryptanalysts.
EXPORT CONTROL
National-security experts argue that export control is essential if the U.S. is to
protect its communications without affording protection to the rest of the world. Ex-
fort-control policy seeks to limit foreign accessibility to strong cryptography,
nternet availability of strong cryptography notwithstanding, many security experts
believe that the export control policy is working. They argue that foreign organiza-
tions that are concerned about protecting their information from sophisticated inter-
cept are not likely to download an encryption program from the Internet. Others
disagree, and believe that the only real effect of present export-control policy is to
ship U.S. jobs overseas. Many complain that export control has had a chilling effect
on American business by making Lf.S. products less competitive.
Export-control policy on cr3T)tography has complicated development of secure sys-
tems. An example is provided by the Digital Equipment's Distributed System Secu-
rity Architecture (DSSA), which DEC spent many years and many millions of dol-
lars developing. In planning the system, Digital sought to make a product which
would pass government export controls for cryptography. In particular, in designing
DSSA Digital engineers carefully separated authentication from confidentiality.
They began building two distinct versions of the product, a domestic one with au-
thentication and confidentiality, and one for export, with authentication only. This
additional complexity slowed the work. A Digital senior manager familiar with the
program asserted that the delays associated with attempts to meet export restric-
tions were a significant factor in Digital's decision to abandon DSSA.
Cryptography is not the only American product subject to export control. Striking
a balance between economic strength (by opening markets for U.S. companies), and
protecting national security (by restricting the sale of military technology) requires
making complex choices. What differentiates this conflict from, say, the exportability
of supercomputers, is that equivalent cryptographic products are available for sale
internationally. Opponents of cryptographic export controls argue that U.S. vendors
are penalized while cr3T)tographic products proliferate. Proponents of these controls
argue that the most serious tnreat to foreign intelligence gathering comes not from
stand-alone products that constitute most of the market, but from well-integrated,
119
user-friendly systems in which cryptography is but one of many featiires. From this
perspective, it is essential to control export of the commodity, desktop hardware and
software with integrated cryptography. The U.S. is the pre-emininent suppUer of
such products.
National-security experts have argued that removal of U.S. export controls on
cryptography would result in the imposition of foreign import controls; they point
to France, which does not permit the use of encryption without governmental reg-
istration of the algorithm. In recent years, the policy of the U.S. government is to
oppose trade restraints, so this contention; something of an about-face. It is specula-
tive. At present, no Western European governments other than France restrain the
import of cryptographic products, and only a few Asian governments do so.
The EES may have an indirect impact on the export of computer eqviipment. Ex-
port of key-escrow equipment will be permitted, but both the secrecy of the algo-
rithm and the U.S. government's possession of keys may dampen the enthusiasm
of prospective foreign buyers. In order to build products for both the domestic and
export markets, computer vendors might need to support two sets of cryptographic
algorithms.
THE RIGHT TO PRIVACY
If law enforcement and national-security interests argue against the availability
of strong crjrptography without key escrow, other traditions of the U.S. argue
strongly in its favor. The right to privacy, the "right to be left alone" is fundamental
to American life. Civil libertarians view the availability of strong cryptography as
necesseiry to the ability to communicate in privacy.
Protecting American's privacy rights is a constant struggle. Private industry, in-
cluding credit bureaus, insurance companies, and direct marketers, collects a vast
amount of information about individuals. The proliferation of electronic databases
has only exacerbated the problems Congress attempted to ameUorate twenty-four
years ago, when it passed the Fair Credit Reporting Act. Despite abuses by the pri-
vate sector, civil-Uberties groups view government abuse of privacy with much
greater concern. In its attempt to ensure the safety of its citizens, the government
can overstep boundaries of the rights of the individual. One does not have to look
far back in the nation's history to find egregious examples of such abuse.
Based on ir^ormation illegally supplied by the Census Bureau, one hundred and
twelve thousand Americans of Japanese ancestry were put in internment camps
during World War II. During the nineteen-sixties, the FBI regularly taped conversa-
tions of many civil rights leaders, including Martin Luther King. The 1974 Senate
Select Committee to Study Governmental Operations found numerous examples of
the NSA abuse of privacy rights of private individuals. As a direct result of these
activities, legislative, executive order and regulatory provisions were instituted with
the intent of eliminating future such occurrences.
Privacy rights are one of the individual's most potent defenses against the state.
Privacy rights of the individual are embedded in the Fourth and FifUi Amendments.
Supreme Court Justice Louis Brandeis said it eloquently in his dissent on the
Olmstead wiretapping case,
The makers of our Constitution undertook to secure conditions favorable
to the pursuit of happiness. They recognized the significance of man's spir-
itual nat\ire, of his feelings and his intellect * * * They sought to protect
Americans in their beUefs, their thoughts, their emotions and their sensa-
tions. They conferred, as against the government, the right to be let £done —
the most comprehensive of rights and the right most valued by civilized
man ♦ ♦ * 4
Privacy, however, is not always deemed absolute. Sometimes privacy is traded for
convenience. Americans are captvu-ed on video recordings as we shop; we leave be-
hind electronic chronicles as we charge phone calls. We pay for milk and bread via
an ATM withdrawal at the supermarket, and we leave a record of our actions where
five years ago we would have left a five-dollar bill. Sometimes it is traded for safety.
Each day hundreds of thousands of Americans pass through metal detectors to get
on airplanes. Most people consider those intrusions of privacy well worth the assur-
ance of greater public safety.
* Olmstead v. United States, 277 U.S. 438, 1928, pg. 752.
120
CRYPTOGRAPHY POLICY
Civil-liberties groups argue that constitutional protections need to keep pace with
new technology. Their concern is that governmental attempts to limit the use of
crjrptography, whether through force of law, or through more subtle efforts such as
market domination, can result in the foreclosing of privacy protection choices.
Concern over control of crjrptography first arose when crjrptography became an ac-
tive area of research for academia and business. There were conflicts over which
Federal agencies would fund non-governmental cryptography research, and whether
such work might be subject to some form of prior restraint on publication.
In response to these difficulties, the American Council on Education convened a
study group, which presented a set of voluntary guidelines for prepublication review
of research papers in cryptography. The National Security Agency and the National
Science Foundation worked out an agreement by which boui agencies would fund
cryptographic research. Research now floiuishes in both domains.
Several years later. President Reagan issued National Security Decision Directive
145 (NSDD-145), establishing as Federal policy the safeguarding of sensitive but
unclassified information in communications and computer systems. NSDD-145 stip-
ulated a Defense Department management structure to implement the policy: the
NSA, the National Secvuity Council and the Department of Defense. There were
many objections to this plan, from a variety of constituencies. Congress protested
the expansion of Presidential authority to policy-making without legislative partici-
f)ation. From the ACLU to Mead Data Central, a broad array of industrial and civil-
iberties organizations objected to Department of Defense control of unclassified in-
formation in the civiUan sector.
In 1987 Congress sought to clarify the issue with the Computer Security Act,
which assigned to the National Bureau of Standards (now the National Institute of
Standards and Technology, or NIST) "responsibility for developing standards and
guidelines to assure cost-effective security and privacy of sensitive information in
Federal computer systems, drawing on the technical advice and assistance (includ-
ing work products) of the National Secxirity Agency, where appropriate."
Civilian computer security standards were to be set by a civilian agency. But
seven years later both civil-liberties and industrial groups feel NSA is more involved
in civilian standards than the Computer Security Act mandated. They point to the
NSA-designed digital signature standard (DSS) and the cr5T)tographic algorithm
SKIPJACK that underUes EES. Concerns over national-security involvement in ci-
vilian matters, as well as concerns over the government plan to escrow keys of pri-
vate users have led such civil-Uberties groups as the ACLU and Computer profes-
sionals for Social Responsibility to oppose EES.
EES AND PRIVACY
Advocates of EES claim the availability of strong cryptography will provide Amer-
icans with better and more readily available privacy protection than they currently
enjoy. They observe that no one will be forced to use it, and that other forms of
encryption will be allowed. Opponents believe the potential for abuse by the govern-
ment makes EES a danger not to be risked, and counter that if a large Federal
agency like the IRS adopts EES, then electronic filers who choose to secure their
transmissions may have to use EES. This would have the impact of making the vol-
untary standard the de facto national one.
There is no question that the market impact of the Federal government can be
huge, although recent experience illustrates that the government's ability to influ-
ence the computer communication market is not always successful.^ Adoption of
EES, as a standard, voluntary or otherwise, decreases the chance there will be com-
peting systems available. Indeed the true success of EES, as measured by law en-
forcement's continued ability to decrypt intercepted conversations, can only come at
the expense of (widespread use of) competing systems for seoire telecommuni-
cations.
Proponents respond that privacy protection will be better than ever. Should the
government illegally tap a communication, the escrowed system will leave an elec-
tronic audit trail, and make the illegal interception easier to uncover than it is at
present. Reminding us of the abuses of Watergate and the revelations of the Church
Committee, civil-liberties groups contend that the NSA should not be building gov-
ernment trap-doors into the civilian communications infrastructure.
^ The failure of the GOSIP initiative, an attempt to mandate procurement of computer commu-
nication protocols that conform to the 150 OSI standards, is one such example.
121
EES AND THE COMPUTER INDUSTRY
Meanwhile EES presents other problems for the computer industry. The govern-
ment's attempt to create strong cryptography that would not hinder law enforce-
ment's abilities to comprehend legally intercepted conversations led to a hardware
solution. Industry prefers software implementations for a number of reasons. They
are cheaper, and they offer a flexibihty that hardware does not.
The industry has already made substantial investments in DES and RSA solu-
tions for secure systems. In lots of ten thousand, Clipper chips will cost approxi-
mately $15; industry experts contend that this translates to a finished product with
escrowed encryption capabiUties costing about sixty dollars more than one without.
From a vendor viewpoint, hardware encrjrption provides greater secxirity but does
so at much greater expense than software. It is not clear that prospective pur-
chasers are wiling to pay for this increased security.
THE BROADER POLICY ISSUES
In the full report, we discuss in detail the various policy and technical concerns
surrounding cryptography. The problems of communications seciuity and its cryp-
tographic solution are technical ones, but the issues are much broader. They deserve
careful and thoughtful public debate. We raise questions here and in the full report.
Answers will take longer.
It took the Supreme Court nearly forty years to expound on the privacy of tele-
phone communications. In the Olmstead case in 1928, the Supreme Court held that
wiretapping evidence did not need court authorization. Over the next four decades,
the Court slowly created a penumbra of privacy for telecommunications. Finally, in
1967, in Katz versus the United States, the Court held that a phone call in even
so public a place as a phone booth was deserving of privacy — it could not be tapped
without prior court authorization. Computer communications differ from the tele-
phone, but it is likely that the public's embrace of this medium will be considerably
more rapid than the acceptance of the earlier technology. How will law and policy
for the protection of electronic communications evolve? Is there an absolute right to
communications privacy?
Members of the law enforcement community believe that the widespread use of
encrjrpted telecommunications (especially phone calls) will interfere with their abil-
ity to carry out authorized wiretaps. Is this a problem that needs a solution? Should
cryptographic solutions for communications security include authorized government
access for law enforcement and national security purposes?
What will happen if criminals use cryptography other than EES? The Digital Te-
lephony proposal involves investment in the telephone infrastructure in order to en-
siu-e that court-authorized wiretaps can be carried out. These wiretap capabilities
will be less useful if communications are encrypted. What is the relationship be-
tween Digital Telephony and EES? Will there be any future attempt to outlaw alter-
native forms of cryptography?
What would the success of escrowed encryption mean? Would it simply mean gov-
ernment use of EES-type products? Or wovdd it mean a much more widespread use
of EES products? Would it mean the availability of EES-type products to the exclu-
sion of all else?
We are experiencing fundamental transformations in the way that people and or-
ganizations communicate. The very infrastructure of the nation is changing. The
question we need to address is: How shovild we interpret the Fourth Amendment,
The right of the people to be secure in their persons, house, papers and
effects against unreasonable searches and seizures shall not be violated;
and no warrants shall issue but upon probable cause * * *
for the Information Age?
DESCRIPTION OF AUTHORS
Susan Landau is Research Associate Professor at the University of Massachu-
setts. She works in algebraic algorithms, which has applications to cryptography.
Stephen Kent is Chief Scientist-Security Technology for Bolt Beranek and
Newamn Inc. For over 18 years, he has been an architect of computer network secu-
rity protocols and technology for use in the government and commercial sectors.
Clinton C. Brooks is an Assistant to the Director of the National Security Agency.
He is responsible for orchestrating the Agency's technical support for the govern-
ment's key escrow initiative.
122
Scott Charney is Chief of the Computer Crime Unit in the Criminal Division in
the Department of Justice. He supervises five federal prosecutors who are respon-
sible for implementing the Justice Department's Computer Crime Initiative.
Dorothy E. Denning is Professor and Chair of Computer Science at Georgetown
University. She is author of "Cryptography and Data Security" and one of the out-
side reviewers of the Clipper system.
Whitfield Diffie is Distinguished Engineer at Sun Microsystems. He is the co-in-
ventor of public-key cryptography, and has worked extensively in cryptography and
secure systems.
Anthony Lauck is a Corporate Consulting Engineer at Digital Eqviipment and its
lead network architect since 1978. His contributions span a wide range of
networking and distributed processing technologies.
Douglas Miller is Government Affairs Manager for the Software Publishers Asso-
ciation.
Peter G. Nevunann has been a computer professional since 1953, and involved in
computer-communication security since 1965. He chairs the ACM Committee on
Computers and Public Policy and moderates the Risks Forum.
David L. Sobel is Legal Counsel to the Electronic Privacy Information Center
(EPIC). He specializes in civil liberties, information and privacy law and frequently
writes about these issues.
123
o
Yankeiovich
Partners
3622 C»nipus Drive. HM>port Beaoh. CA 92660
Memorandum
To:
Data users
From:
HalQuinley '■.
Date:
March?
Subject
Timc/CNN poll
Here are the results of the latest Timc/CNN poll conducted on March 2-3, 1994.
The survey was conducted by telephone among 600 adult Americans. The sampling
enx)r is plus or minus 4%.
124
The r)«-QnerYpti<;^n rhip Tgmmft
(March 2-3, 1994)
%
19. Which of the following do you
fhlnkr i s more -inipnrfcant?
Protecting the ability of police and
other government officials to catch
criminals by listening to phone calls 29
(Or, ) Protecting the ability of private
citizens to prevent anyone, including the
police, from listening to thpir phone calls 66
Not sure 5
20. It has been proposed that
a connputer chip be installed in every
telephone, computer modem and fax machine.
The government would be able to tap into
these devices and listen to messages
if a judge permits it. Do you favor or
oppose giving the federal govemraent
this authority?
Favor 18
Oppose 80
Not sure 2
Time/CNN rv 03/2-3/94 • -13-
125
>< ' * St o «a
O « HI #
s
a:'
oo
ihtl S HI
* * *
'-•-'C ««w «««
»««^ •*(<« wo
ss
m
OKI
0
mm
5S
oo
W-4
^S
wo
no
1-t
^s
PS
«<0
-8
ss
•DO
e>o
•4
•
4»
OH
MO
■to
oo
«in
no
NO
v4
OO
eo
S8
•>
•>o
■#o
n«s
n«4
• HvAmHl «t wo ►»>
•» ll*V«<l3« -« HO MM
^s
• •
-4
no
oo
•1
«r<
ee
K»t»
**
MO
•«o
«>4
AVI
no
MO
2§^58g
Ot<HMOSS 5
s
126
I
CI
r.
m m 0 » r
^o ■»?» f*rt •**! f*'*
no •-• t««> T<o
• « ar « «
c~ wo <■* «M -Jn wc
« # «
OlA HW «f-l
p*r» OO
* » •»
Mm *^o r>ia\
# « «
wak ^<* -HO
»5 rfrl
#
0% v^*^ mo
0DO AO
<» # «>
■tin nra >>(•
<trt mo
o ^ «•
lor* «H ^o
t-t- ISO
Oct •HW r<0
OC0 riO
•> <» 4>
WM N-< "O
V^W OO
d « i7
UIA MW lAO
^<- VO
« <-> *
tnitf totti ^iH
nS b-K "O
• o
»lo r->* to
WO OO
no
•'o or< *o
«•> ^ ao
K 3 sa
g 2 6-
4 «■ O
t^ ». o »
o
w
127
Questions and Answers
Answers to Questions From Senator Leahy to Assistant Attorney General
Jo Ann Harris
Question 1. What is the number of people who will have access to the key escrow
facilities within the Commerce and Treasviry Departments? What is the number of
people with access to those keys that have been released pursuant to court order?
Answer 1. To begin with, it must be understood that the key-escrow databases
will be held in encrypted form and that the escrow agents will be incapable of
decrypting those databases. Nevertheless, both NIST and Treasury will strictly limit
the nimiber of individuals that have access to the key-escrow databases, with the
objective of keeping that number to the minimvim necessary to meet the require-
ments of thr system, including the need for a 24-hoiu- response capabihty. In each
agency, the number of individuals with such access is expected to be no more than
about a dozen, and, in each case, fewer than that number are expected to be in-
volved in the chip programming process. Moreover, all such individuals will hold na-
tional security clearances at least to the Secret level.
We understand the second question as asking the number of persons who will
have access to the key components at the agency to which the components have
been released for use in conjunction with lawfully authorized electronic surveillance.
We cannot, of course, provide a precise number of the persons at, for example, a
field office of the Drug Enforcement Administration, who might be present when a
key component is received from an escrow agent. In this regard, however, it should
be remembered that the key components are stored and transmitted in encrypted
form and that the encrypted components can only be decrypted, combined, and used
by the decrypt processor. Therefore, the receiving law enforcement agency has no
access to the unencrypted key. Consequently, we believe that what is important is
not the number of persons at the receiving law enforcement agency who may lay
eyes on an encrypted string of 80 bits, but, rather, the rigid controls over the con-
duct of electronic surveillance that may require decryption of key escrow-encrypted
communications.
Question 2. Can an escrow agent exercise discretion in the release of key informa-
tion? Can they refuse an inappropriate request?
Answer 2. The escrow agents are not in a position to exercise discretion regarding
the propriety of releasing key components in response to properly submitted re-
quests, because they should not substitute their judgment regarding the propriety
of decrypting communications for the judgment of the court that has authorized the
interception of such communications. The procedures for key component release to
government agencies are intended to permit escrow agents to respond promptly to
requests submitted in proper form and to maintain clear, auditable records of the
transaction.
A properly submitted request will include, among other things, identification of
the agency and individuals making the request, identification of the source of the
authorization to conduct electronic surveillance, and specification of the termination
date of the authorized surveillance period. Federal agency requests for releases
under Title III or FISA will be followed by an attorneys confirmation of authority
to conduct electronic surveillance; State or local requests are to be submitted by the
principal prosecuting attorney of the State or poUtical subdivision involved. A key
escrow agent may not, of course, release a key component in response to a request
not meeting the requirements for submission, including, for example, one that does
not specify the source of the authorization.
Question 3. What is the process for auditing the activities of the escrow agents
and use of the keys?
Answer 3. Aumting wall be possible at various stages of the process, as well as
in retrospect. Thus, for example, after being advised of a key component release re-
quest, the Department of Justice will make necessary inquiry to be assured that the
relevant Federal, State or local authorities have been authorized to conduct elec-
tronic surveillance for criminal investigative purposes, or that relevant Federal au-
thorities have been authorized to conduct electronic surveillance under FISA. (At
least at the outset, such inquiry will be made in all cases.) Kev component releases
will require confirmation of receipt of the key components by the intended recipient
agency.
The fully developed key escrow database system will provide permanent electronic
records of transactions, particularly the details of releases of key components, with
secure audit capabilities built in. The compliance of the key escrow agents will be
128
subject to inspection, both by representatives of the Department of Justice and by
inspection personnel within their own organizations, to verify the relationship be-
tween each key escrow component release and a properly submitted release request
and receipt of a certification of termination of decryption capability in conjunction
with the end of the authorized period of electronic surveillance.
Later versions of the decrypt processor will automatically terminate decryption ca-
pability no later than the end of the period of authorized electronic surveillance. In
the prototype version, decryption capabiUty is terminated manually. That termi-
nation can easily be confirmed by physical inspection, particularly since, in the early
stages of Uie program, the decrypt processors are expected to be centrally held.
These methods of confuming the integrity of the system are over and above those
procedures normally associated with electronic surveillance. For example, electronic
surveillance logs can be reviewed to confirm that a request for key component re-
lease truly was associated with the particular wiretap on which the requester reUed.
Question 4. Situations have arisen where the government has created systems
that were only supposed to be used for one purpose but have been permitted to be
used for others. What protections are in place to make sure that the key escrow
databases held by the escrow agents are never used for any purpose other than to
decrypt messages piirsuant to a lawful court order?
Answer 4. Each of the kev escrow agents administers a database that comprises,
essentially, two groups of data: a series of chip unique ID numbers and, for each
chip unique ID number, a string of 80 bits that is stored only in encrypted form.
Those databases contain no personal information associated with individuals who
may own or use devices equipped with the particular chips; hence, the key escrow
databases are not susceptible to the kinds of misuse to which databases of personal
information might be subject.
Nonetheless, the Administration recognizes that it is crucial to ensure that key
components contained in those databases are only made available to government
agencies for use in conjunction with lawfully authorized electronic surveillance. For
that reason, rigorous procedures for release of key components have been approved
(copies of which are attached), and extremely strict database handling and process-
ing technology and procedures have been implemented and are being further re-
fined.
It should also be noted that key components will be provided requestmg govern-
ment agencies upon their certification of authority to conduct electronic surveillance;
their actual submission of a court order will not be necessary.
Question 5. How will the released escrow keys be transported to the law enforce-
ment agency requesting them? What safeguards will be used when transporting the
escrow keys?
Answer 5. Key components are stored and transmitted to law enforcement agen-
cies in encrypted form; they can be decrypted and combined only within the decrypt
processor. Thus, neither the escrow agents, nor personnel at the law enforcement
agency, will see the actual key components. Normally, the key components will be
transmitted electronically. Initially, for use in the prototype version of the decrypt
processor, they will be hand-carried by representatives of the respective escrow
agents, to be manually entered (in encrypted form) into the processor. More ad-
vanced versions of the decrypt processor will be able to receive input of the key com-
ponents electronically transmitted directly from the escrow facility.
Question 6. If an escrow location is compromised, all chip data contained there
is compromised with what could be devastating consequences for U.S. Government
and private sector entities using security devices with Clipper Chip. Do you antici-
pate that these locations will become targets of opportunity for any criminal or ter-
rorist organization? What back-up or physical security measures are envisioned? If
multiple copies of the keys are kept, does this increase the threat of compromise?
Answer 6. The key escrow system has been designed so that knowledge of one kev
component provides no information regarding the other key component, nor regard-
ing the entire unique key. Moreover, the key components are themselves maintained
in encrypted form, so that a person with access to a key component database does
not even know the actual key components. Notwithstanding these safeguards built
into the system, physical security of the key-escrow databases is a matter of fun-
damental concern, and security procedures for handling and storing the databases
take full account of that concern. The key-escrow databases are to be held under
the kinds of protections accorded the most sensitive kinds of national security infor-
mation. Back-up database capabilities will be maintained, so that escrow agents will
be able to respond in a timely fashion even if the primary site is, for example, inca-
pacitated by a fire or power outage. The back-up capabilities are subject to the same
levels of protection as the primary systems.
129
Question 7. A decrypt device will receive an electronic transmittal of the two key
halves from the escrow agents. The decrypt device will then be able to decrypt the
intercepted message, until the wiretap authorization ends, when it will automati-
cally turn itself on. According to Department of Justice testimony at the May 3,
1994 hearing, one of these decrjmt devices has been built. How many more of these
devices do you expect to be biult? WiU the decrypt devices be maintained in the
central secure facility? If so, who will maintain custody of the devices and how will
they be distributed to the law enforcement agencies that need them?
Answer 7. Termination of a decrypt processor's ability to decrypt communications
using a particular key-escrow chip is a fundamental protection biult into the system,
and law enforcement agencies that have received key components will be required
to certify such termination. In the prototype model of the decrypt processor, that
termination is effected manually; automatic termination will be available in later
versions.
The number of decrjrpt processors that will ultimately be produced will probably
be in large measure a function of the number of key-escrow equipped devices in use
throughout the country and the number of times key-escrow encryption is encoun-
tered in the course of wiretaps. For the foreseeable mture, it is likely that decrypt
processors would be centrally held by the FBI, to be made available for use in the
field on an as-needed basis.
Question 8. The objective of the key escrow encryption system is to provide "real-
time" electronic surveillance rather than recording and post-processing of targeted
encrypted communications. How will this be accomplishea with only one decrypt de-
vice in the event that encrypted communications are intercepted over more than one
wiretap?
Answer 8. As noted in the previous question, the key escrow system is stiU in its
beginning phases and, therefore, the number of decrypt processors is, at the mo-
ment, necessarily limited. This condition will change over time. However, the fact
that there is only one decrypt processor currently available does not mean that it
can only be used in support of one wiretap at a time. The decrypt processor is capa-
ble of holding within its memory up to one hundred keys. Therefore, while it can
only decrypt one communication at a time, it can readily be shifted from one wiretap
to another as needed. Even wiretaps conducted at different locations can be accom-
modated by retransmitting an encrypted intercepted communication from the pri-
mary monitoring location to the location of the decrypt processor.
Question 9. The Attorney General has selected >flST and the Automated Systems
Division of the Treasury Department as the government agencies entrusted with
safeguarding the keys because they could handle sensitive material in computer
form and could respond quickly to requests for the keys,
• Is it correct that other government agencies could also satisfy this criteria?
• Could one or both of the escrow agents be non- government, private sector enti-
ties?
Answer 9. Of course, other government agencies could meet the requirements for
satisfactory service as key component escrow agents. Some of those agencies, how-
ever, might not be perceived as sufficiently independent of law enforcement or na-
tioned security entities, or may otherwise not be considered as capable as the two
selected agencies.
With respect to the second question, it may not be necessary that both escrow
agents be government entities. However, should a private entity serve as an escrow
agent, there may be additional complexities regarding, among other things, the
terms of any contract under which the entity serves; provisions to ensure the contin-
ued corporate existence of such an entity; the entity's ability to accord the database
the necessary physical security; the entity's ability to staff the system with suffi-
cient numbers of appropriately cleared personnel; and its ability and willingness to
respond to key component requests from all authorized law enforcement agencies,
State and local as well as Federal.
Question 10. Can the Attorney General change the escrow agents after the initial
selection? How can the government be prevented from moving the escrow respon-
sibilities to a more pUable escrow agent, if one of the agents refuses to turn over
the keys?
Answer 10. The Attorney General can designate an alternative escrow agent, and,
as part of its continuing review of ways to make the system even better, the Admin-
istration is considering whether there should be at least one escrow agent not with-
in the Cabinet Departments. Designation of an alternative escrow agent would en-
tail substantial complexities, not to mention considerable costs associated with es-
tablishing the necessary capabilities in the new agency. It will not be done lightly,
nor could it be done without a good deal of publicity. Replacement of one escrow
130
agent with another would involve even greater complexities, since it would reaxiire
the first to convey to the second its entire database to permit continviity in the nan-
dUng and auditing of the database.
The second question seems to hypothesize an escrow agent's refusal to release a
requested key component, followed by a retaliatory transfer of escrow agent respon-
sibilities to a agency deemed less likely to be recalcitrant. The short answer is that
such a replacement, while theoretically possible, could abrogate the integritv of the
system and would very likely undermine public confidence in it. Moreover, the Clin-
ton Administration would not accept as an escrow agent an entity that would not
fully comply with the protections built into the system. Indeed, regardless of the ad-
ministration in power, the fact that such a change would be logistically very difficult
and could only be done in a very public fashion makes it an extremely unlikely sce-
nario.
Question 11. In explaining the procedures the escrow agents must follow to safe-
guard the keys, the Attorney General stated "the procedures do not create, and are
not intended to create any substantive rights for individuals intercepted through
electronic surveillance." Does this, in effect, give the escrow agents immunity from
Uability for mishandling the keys? Does this give the right incentives to the escrow
agents about safeguarding the keys? What are the current available remedies for
mishandling the keys?
Answer 11. The language to which you refer is part of the final paragraph in each
of the three published sets of procedures for release of key components under, re-
spectively, Title III, the Foreign Intelligence Surveillance Act (FISA), and State
criminal wiretap statutes.
The language is intended to make clear that the procedures themselves do not
create any rights for individuals whose communications have been intercepted and
for whose devices key components have been made available to government agen-
cies. On the other hand, neither does the language abolish any rights that may oth-
erwise exist by statute or at common law. It is not intended to be, nor could it serve
to immunize the Government or its agents from liability for inappropriate release
of escrowed key components if there is some basis in law for imposing liability on
such persons.
In this regard, it is important to bear in mind the fundamental interest at issue;
namely, the protection of the privacy of communications. Release of key escrow com-
ponents to permit decryption is an adjunct to the interception of communications
and the acquisition of the contents thereof— much like arranging for translation of
communications occurring in a foreign language. The privacy interest in the commu-
nication continues to be protected by the Fourth Amendment and by the relevant
statutes— Title III, FISA, or the individual State statutes. Unauthorized electronic
surveillance is a Federal felony offense, regardless of whether the intercepted com-
munications are encrjrpted.
While key components must only be released to proper recipients and under ap-
propriate conditions, there should be no confusion about the fact that an individual's
{)rivacy interest inheres in his or her communications. If key components are re-
eased to a government agency entitled to intercept communications encrypted with
a chip for which those components form the chip unique key, a departure from some
technical aspect of the key release procedures will not — and shoiild not — render ei-
ther the intercept or the decryption unlawful. If key components are for some reason
released to an entity not entitled to receive them, but are not used in conjunction
with a communications intercept, the individual will not have suffered an invasion
of his or her communications privacy. It is not clear under what, if any, cir-
cumstances mere release of one or even both keys might create civil liability, if that
release does not facilitate an unlawful electronic surveillance.
Question 12. Should the U.S. government be prepared to make a strong warranty
to the American public about the security of the key escrow system? Could this war-
ranty be in the form of stiff penalties for breaches of the escrow procedures and in-
demnification for those whose chips are compromised due to failures in the security
of the escrow system?
Answer 12. The Clinton Administration has already given strong assurances to
the American pubUc about the security of the key escrow system and will continue
to do so. It is not clear whether public perceptions about key-escrow encryption
would be materially affected by either imposition of penalties for breach of escrow
procedures or indemnification of persons whose chips have been compromised
through escrow system security failures.
It may, however, be useful to make a few points regarding those possible ap-
proaches. First, as noted in the answer to the preceding question, the privacy pro-
tection attaches to the communication, not merely to the keys needed to decrypt
that communication. Federal law already imposes severe penalties (both civil and
131
criminal) for unlawful interception of communications, and, therefore, no additional
penalties are needed in that regard. ^^
Second, some persons speak of a variety of circumstances as constituting a com-
promise" of a key escrow encryption chip. It is not clear that mere release of key
components for a particular chip to persons not authorized to intercept communica-
tions encrypted with that chip necessarily means that the chip has been com-
promised. The key components alone do not permit decryption of communications
encrypted with the particular chip; that process requires, as well, access to a
decryption capability. Moreover, decryption of communications requires access to the
communications themselves, the privacy of which is subject to the protections of the
Fourth Amendment and relevant statutes.
Question 13. Should there be civil or even criminal liability for wrongfully disclos-
ing any of the component keys to the key escrow chips? If not, why not?
Answer 13. As noted in the answers to the two preceding questions, the rigorous
statutory protections against unauthorized electronic surveillance and against unau-
thorized disclosure of electronic surveillance already provide both civil and criminal
penalties for the unlawful interception of communications and the unauthorized dis-
closure of the contents of lawfully intercepted communications. (See 18 U.S.C.
§§2511, 2517, and 2520.) Release of escrowed key components would, at most, facili-
tate understanding of the contents of intercepted communications. An individual's
willful or reckless release of key components in a manner not consistent with the
operative procedures would likely be subject to administrative action. Separate
criminal or civil penalties do not appear to be needed.
Question 14. The Department of Justice testified at the May 3, 1994 hearing that
no new legislation was needed to implement the key escrow encryption program.
• Should the Justice Department be required by law to report to Congress on
those wiretaps in which key-escrow encryption was encountered and for which
key components were released to a government agency?
• Should the Justice Department's new responsibilities for ensuring comphance
with the key escrow procedures by State and local law enforcement authorities
be codified in law?
• Should the Justice Department be required by law to give Congress a complete
accounting of the number, use and location of the decrypt devices?
• Should procedures for changing an escrow agent be codified in law?
Answer 14. The Department of Justice does not see a need for legislation to deal
with any of these matters. For example, the Department already expects that Con-
gress will be made aware of wiretaps in which key-escrow encryption was encoun-
tered and for which key components were released. The Department expects to pro-
vide such information to the Administrative Office of the United States Courts for
inclusion in the Office's annual report to the Congress on electronic surveillance
under Title III and State statutes. With respect to electronic surveillance under
EISA, the Department will provide such information as part of its FISA report to
the intelligence oversight committees.
The Department does not anticipate difficulty with assuring State and local com-
pliance with key component release procedures, particularly when the decryption ca-
pability rests exclusively in the hands of the Federal Government. With regard to
the possible accounting for deciTpt processors and their use and location, the De-
partment does not object to providing such information to the Congress on a periodic
basis. Finally, with regard to the selection of escrow agents, the Department be-
lieves that legislation to govern the process by which the Executive Branch might
select an alternative escrow agent could hamper its ability to improve the system.
Any selection of alternative escrow agents would, like the selection of the current
agents, be preceded by appropriate consultation with the Congress.
Question 15. How will State and local law enforcement agencies access the key
escrow system? Will every local Sheriff or police department that wants a decrypt
device or the Chip Family Key get one?
Answer 15. The procedures for releasing key components for use in conjunction
with wiretaps under State statutes are much the same as those for release of key
components in conjunction with wiretaps under Title III or FISA. An important dif-
ference, however, is that requests for key components from State and local authori-
ties cannot be submitted by law enforcement agencies; rather, they are to be submit-
ted by the principal prosecuting attorney of the particular State or poUtical subdivi-
sion. This not only significantly reduces the total number of entities that might
make requests, but ensvu-es that requests are made by high-level, usually elected
officials, of the various jurisdictions.
132
As noted in the answer to an earlier question, the Administration recognizes that
access to decrypt processors must remain carefully controlled. Among other things,
key components will be released for use within a particular decrypt processor and
will only be able to be decrypted and combined within that unit. Accordingly, careful
control of the decrypt processors will contribute significantly to assurances of the
integrity of the system.
Law enforcement agencies will not have access to the family key other than as
programmed into the decrypt processor.
Question 16. Every CUpper Chip has the same Family Key programmed into it.
When a wiretap intercepts conversations encrypted with Clipper Chip, law enforce-
ment uses this Family Key to decode the intercepted serial number, or unique iden-
tifier, which the targeted chip sends out at the beginning of every conversation.
With the serial number, the law enforcement agency can get the government's dupU-
cate set of decoding keys from the escrow agents.
• Who has access to the Clip Family Key? Are they going to be distributed to all
law enforcement agencies so they can quickly decipher serial numbers of chips
that may become the target of a wiretap order?
• Will the Chip Family Key to all Clipper Chips be protected in any way and,
if so, how?
• The Chip Family Key is built into the Chip when it is programmed and cannot
be changed. In the event that someone got unauthorizedi access to the Chip
Family Key, what could that person do with it?
Answer 16. With respect to the first question, access to the family key is very
closely held. The family key is the combination of two binary numbers that are inde-
pendently and randomly generated and held, respectively, by the Department of
Justice and the FBI. The combined family key is held under tightly controlled condi-
tions in a dual-control safe at the programming facility for use in the programming
process. When needed for a programming run, the family key is extracted from stor-
age by specially designated employees of the programming facihty, in the presence
of representatives of the escrow agents, and entered into the programmer. At the
end of a programming run, the programmer is again cleared of the family key. In
addition, the family kev is programmed into decryption equipment so that such
equipment can discern the particular chip ID number when necessary.
With respect to the question regarding availability of the family key to law en-
forcement agencies, the foregoing explanation indicates the extraordinary limita-
tions on access to the family key. Law enforcement agencies desirous of learning
whether a particular communication is encrypted with key-escrow encryption and,
if so, learning the particular chip ID number will have access to the family key only
as programmed into the decrypt processor. This may require a particular law en-
forcement agency not possessing such a processor to provide to an agency that does
hold one the communications suspected of being encrypted, so that the initial deter-
mination can be made. It should be emphasized, however, that a law enforcement
agency's determination of whether communications are being encrypted, and of the
ID number of the chip performing the encryption, would occur in conjunction with
the conduct of a lawftilly authorized wiretap — not, as the question may imply, as
part of activities preceding such authorization.
Notwithstanding the protections afforded the family key, access to that key is of
only minimal value to a law enforcement agency. Apart from its ability to provide
the law enforcement agency the ID number of a particular encryption chip, the fam-
ily key, whether or not in the decrypt processor, is of no discernible value. The fam-
ily key provides no access to the user's encrypted communications, nor does it make
it any more possible for the law enforcement agency to conduct electronic surveil-
lance of either encrypted or unencrypted communications.
Question 17. The Justice Department has assumed responsibility to "take steps
to monitor compliance with the procedures." What steps will the Justice Department
take to monitor comphance by state and local law enforcement authorities, who con-
duct the majority of wiretaps, to ensure that (a) the decrypt devices are adequately
safeguarded and are deactivated when the authorization period ends; (b) the Chip
Family Key is adequately safeguarded and (c) communications to the escrow agents
are authentic?
Answer 17. The question correctly notes that the majority of criminal wiretaps are
conducted by State and local law enforcement. If key-escrow encryption becomes
widely used, one can infer that a significant proportion of the key component re-
leases will be associated with wiretaps conducted under State statutes. It is, of
course, of fundamental importance that escrowed keys are no more susceptible to
improper use by State or local authorities than by Federal agencies.
133
(a) As noted earlier, the Department of Justice expects that, for some time,
decrypt processors will be few in number and centrally maintained and con-
trolled. In that event, it will be relatively easy to be assured that a decrypt
processor is not diverted to an unauthorized person and that the decryption ca-
{)ability is terminated at the end of the authorized period of electronic surveil-
ance. At a later time, should a State or local law enforcement agency be able
to acqviire and hold its own decrypt processor, we expect that the decrypt proc-
essor version will be one that will, among other things, (a) produce an electronic
receipt for the key components transmitted to it, (b) have the capability of
decrjrpting and combining only key components destined for that specific
decrjT)t processor, and (c) automatically terminate its ability to decrypt the par-
ticular encryption chip. These technical characteristics, coupled with the con-
tinuing reqviirement that the key component request mvist come fi"om the prin-
cipal prosecuting attorney of a State or political subdivision, will offer great as-
surance against diversion of decrypt processors and unauthorized retention of
decryption capabilities.
(b) With respect to the family key, the short answer is that the family key
will not be available to State or local authorities, save within decrypt proc-
essors. Apart from its abihty to provide the law enforcement agency the ID
number of a particular encryption chip, the family key, whether or not in the
decrypt processor, is of no discernible value to that agency. The family key pro-
vides no access to the user's encrypted communications.
(c) Requests from State or local authorities for release of key components are
to come, not from law enforcement agencies, but from the principal prosecuting
attorneys of the States or political subdivisions involved. The authenticity of
such submissions can be confirmed by contact with the principal prosecuting at-
torney involved, which is expected to be a rather easy matter.
Question 18. American firms are allowed to export Clipper Chip devices to non-
U.S. customers. What procedures are contemplated or in place to deal with requests
by foreign law enforcement authorities for access to the keys to any CUpper Chip
device being used abroad?
Answer 18. The Administration is according this issue careful consideration at
this time. The Department of Justice believes that a number of important consider-
ations would app^ to any decision on whether to comply with a foreign countr^s
request for assistance in decryption of key-escrow encrypted communications. For
example, it will be important to know whether American citizens are targets of the
electronic surveillance, and it will likely be important to know the reason for the
electronic surveillance and the circumstances under which it was authorized, as well
as whether the United States also has an interest in the electronic surveillance. It
should also be noted that we may be able to assist the foreign country without pro-
viding it either decryption equipment or the key components for the particular
encryption chip — by, for instance, decrypting the communications in this country
and merely providing the decrjrpted text to the requester.
Answers to Questions From Senator Pressler to Assistant Attorney
General Jo Ann Harris
Question 1. Why do you believe that private" manufacturers and users will pur-
chase equipment which contains the Skipjack algorithm if that means the govern-
ment can decode any encrypted messages, once it obtains the proper court approval?
Answer 1. Your question rightly notes that key-escrow encryption chips use the
Skipjack algorithm, an algorithm substantially stronger than others now in common
use; it is, for example, 16 miUion times stronger than the Data Encryption Standard
(DES). The strength of the Skipjack algorithm makes key-escrow encryption chips
attractive for use oy the Federal Government in protecting sensitive unclassified in-
formation.
Likewise, we believe that it will make such chips attractive to the private sector,
and for much the same reason; namely, that it is a remarkably strong protection
against intrusion by eavesdroppers or even persons or entities engaged in corporate
espionage. Most of us recognize that we will never be the targets of wiretaps and
we do not fear that prospect. We do, however, worry about illicit interception of ovtr
communications, and strong encryption is excellent insurance against such activi-
ties.
In addition, we believe that many businesses will come to recognize the value of
strong encryption that protects their proprietary information from unauthorized ac-
cess, out does not permit their employees to engage with impunity in criminal ac-
134
tivities inimical to the firms' interest and law enforcement woxild be rendered help-
less to investigate.
Question 2. What types of incentives does the Administration plan to use to en-
courage the use of the Clipper Chip? What are the future steps of implementation
which the Administration proposes to take?
Answer 2. Various Executive Branch agencies are considering whether, and for
what pxirposes, they may adopt key-escrow encrjrption and make it possible for per-
sons outside the government to use key-escrow encrjrption for conducting secure
communications with them. The Administration is also consulting with tele-
communications equipment manufacturers regarding possible incorporation of key-
escrow encryption in their products. In addition, the easy exportability of products
equipped with key-escrow encryption should prove to be very attractive both to U.S.
manufacturers of such equipment and to their customers.
Question 3. I understand the Administration is considering replacing one of the
two escrow agents with a more neutral third-party, such as an entity in the Judicial
branch or in the private sector. Which entities are being considered? What criteria
must any prospective escrow agent have?
Answer 3. The Administration continues to look for ways to improve the kev-es-
crow system. The system may be perceived to improve by the designation of at least
one alternative escrow agent. Accordingly, the Administration is considering wheth-
er such an alternative shovild be designated and, if so, what must be done to effect
such a designation. For example, an entity that is not part of a Cabinet Department
may require legislative authority to serve as an escrow agent.
In selecting escrow agents, we looked for a number of important qualifications.
Among other things, the candidates needed to:
• Be experienced in handling sensitive materisils;
• Be familiar with communications and computer issues;
• Be able to respond qmckly, and around the clock, when government agencies
need to have encryption keys issued to them; and
• Be generally regarded by the public as both reliable and effective.
Answer to a Question From Senator Murray to Assistant Attorney General
Jo Ann Harris
Question 1. In my office in the Hart bxiilding this February, I downloaded fi-om
the Internet an Austrian program that uses DES encryption. This was on a laptop
computer, using a modem over a phone line. The Software PubUshers' Association
says there are at least 120 DES or comparable programs worldwide. However, U.S.
export control laws prohibit American exporters from selling comparable DES pro-
grams abroad.
With at least 20 million people hooked up to the Internet, how do U.S. export con-
trols actually prevent criminals, terrorists or whoever from obtaining DES encrypted
software?
Answer 1. On the matter of export controls on encrypted software, the Depart-
ment of Justice defers to the National Seciuity Agency, which, we understand, has
been asked the same question.
Appendix
KEY COMPONENT RELEASE PROCEDURES
Authorization procedures for release of encryption key components in conjunction
with intercepts pursuant to title Hi
The following are the procedures for the release of escrowed key components in
conjunction with lawfully authorized interception of communications encrypted with
a key-escrow encryption method. These procediires cover all electronic stirveillance
conducted pursuant to Title III of the Omnibus Crime Control and Safe Streets Act
of 1968, as amended (Title III), Title 18, United States Code, Section 2510 et seq.
(1) In each case there shall be a legal authorization for the interception
of wire and/or electronic communications.
(2) All electronic surveillance coiui; orders under Title III shall contain
provisions authorizing after-the-fact minimization, pursuant to 18 U.S.C.
2518(5), permitting the interception and retention of coded communications,
including encrjrpted communications.
135
(3) In the event that federal law enforcement agents discover during the
course of any lawfully authorized interception that communications
encrypted with a key-escrow encryption method are being utilized, they
may obtain a certification from the mvestigative agency conducting the in-
vestigation, or the Attorney General of the United States or designee there-
of. Such certification shall:
(a) identify the law enforcement agency or other authority conducting
the interception and the person providing the certification;
(b) certify that necessary legal authorization has been obtained to con-
duct electronic surveillance regarding these communications;
(c) specify the termination date of the period for which interception has
been autnorized;
(d) identify by docket number or other suitable method of specification
the source of tJrie authorization;
(e) certify that communications covered by that authorization are being
encrypted with a key-escrow encryption method;
(f) specify the identifier (ID) number of the key-escrow encryption chip
providing such encryption; and
(g) specify the serial (ID) number of the key-escrow decryption device
that will be used by the law enforcement agency or other authority for
decryption of the intercepted communications.
(4) The agency conducting the interception shall submit this certification
to each of the designated key component escrow agents. If the certification
has been provided by an investigative agency, as soon thereafter as prac-
ticable, an attorney associated with the United States Attorney's Office su-
pervising the investigation shall provide each of the key component escrow
agents with written confirmation of the certification.
(5) Upon receiving the certification from the requesting investigative
agency, each key component escrow agent shall release the necessary key
component to the requesting agency. The key components shall be provided
in a manner that assures they cannot be used other than in conjunction
with the lawfully authorized electronic surveillance for which they were re-
quested.
(6) Each of the key component escrow agents shall retain a copy of the
certification of the requesting agency, as well as the subsequent confirma-
tion of the United States Attorney's Office. In addition, the requesting agen-
cy shall retain a copy of the certification and provide copies to the following
for retention in accordance with normal recordkeeping requirements:
(a) the United States Attorney's Office supervising the investigation,
and
(b) the Department of Justice, Office of Enforcement Operations.
(7) Upon, or prior to, completion of the electronic surveillance phase of
the investigation, the abiUty of the requesting agency to decrypt intercepted
communications shall terminate, and the requesting agency may not retain
the key components.
(8) The Department of Justice shall, in each such case,
(a) ascertain the existence of authorizations for electronic surveillance
in cases for which escrowed key components have been released;
(b) ascertain that key components for a particular key-escrow
encryption chip are being used only by an investigative agency authorized
to conduct electronic surveillance of communications encrypted with that
chip; and
(c) ascertain that, no later than the completion of the electronic surveil-
lance phase of the investigation, the abiUty of the requesting agency to
decrypt intercepted communications is terminated.
(9) reporting to the Administrative Office of the United States Courts
pursuant to 18 U.S.C. Section 2519(2), the Assistant Attorney General for
the Criminal Division shall, with respect to any order for authorized elec-
tronic surveillance for which escrowed encryption components were released
and used for decryption, specifically note that fact.
These procedures do not create, and are not intended to create, any substantive
rights for individuals intercepted through electronic surveillance, and noncompli-
ance with these procedures shall not provide the basis for any motion to suppress
136
or other objection to the introduction of electronic surveillance evidence lawfully ac-
quired.
Authorization procedures for release of encryption key components in conjunction
with intercepts pursuant to state statutes
Key component escrow agents may only release escrowed key components to law
enforcement or prosecutorial authorities for use in conjunction with lawfully author-
ized interception of communications encrypted with a key-escrow encryption meth-
od. These procedures apply to the release of key components to State and local law
eniforcement or prosecutorial authorities for use in conjunction with interceptions
conducted pursuant to relevant State statutes authorizing electronic surveillance,
and Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amend-
ed, Title 18, United States Code, Section 2510 et seq.
(1) The State or local law enforcement or prosecutorial authority must be
conducting an interception of wire and/or electronic communications pursu-
ant to lawful authorization.
(2) Requests for release of escrowed key components must be submitted to
the key component escrow agents by the principal prosecuting attorney of
the State, or of a political subdivision thereof, responsible for the lawftilly
authorized electronic surveillance.
(3) The principal prosecuting attorney of such State or political subdivision
of such State shall submit with the request for escrowed key components
a certification that shall:
(a) identify the law enforcement agency or other authority conducting
the interception and the prosecuting attorney responsible therefor;
(b) certify that necessary legal authorization for interception has been
obtained to conduct electronic surveillance regarding these communications;
(c) specify the termination date of the period for which interception has
been authorized;
(d) identify by docket number or other suitable method of specification
the source of the authorization;
(e) certify that communications covered by that authorization are being
encrypted with a key-escrow encryption method;
(f) specify the identifier (ID) number of the key-escrow chip providing
such encryption; and
(g) specify the serial (ID) niunber of the key-escrow decryption device
that will be used by the law enforcement agency or other authority for
decryption of the intercepted communications.
(4) Such certification must be submitted by the principal prosecuting at-
torney of that State or political subdivision to each of the designated key
component escrow agents.
(5) Upon receiving the certification from the principal prosecuting attor-
ney of the State or political subdivision, each key component escrow agent
shall release the necessary key component to the intercepting State or local
law enforcement agency or other authority. The key components shall be
provided in a manner that assures they cannot be used other than in con-
junction with the lawfully authorized electronic surveillance for which they
were requested.
(6) Each of the key component escrow agents shall retain a copy of the
certification of the principal prosecuting attorney of the State or poHtical
subdivision. In addition, such prosecuting attorney shall provide a copy of
the certification to the Department of Justice, for retention in accordance
with normal recordkeeping requirements.
(7) Upon, or prior to, completion of the electronic surveillance phase of
the investigation, the ability of the intercepting law enforcement agency or
other authority to decrypt intercepted communications shall terminate, and
the intercepting law enforcement agency or other authority may not retain
the key components.
(8) The Department of Justice may, in each such case, make inquiry to:
(a) ascertain the existence of authorizations for electronic surveillance
in cases for which escrowed key components have been released;
(b) ascertain that key components for a particular key- escrow
encryption chip are being used only by an investigative agency authorized
137
to conduct electronic surveillance of communications encrypted with that
chip; and
(c) ascertain that, no later than the completion of the electronic surveil-
lance phase of the investigation, the ability of the requesting agency to
decrjTJt intercepted communications is terminated.
(9) In reporting to the Administrative Office of the United States Courts
pursuant to 18 U.S.C. Section 2519(2), the principal prosecuting attorney
of a State or of a political subdivision of a State may, with respect to any
order for authorized electronic surveillance for which escrowed encryption
components were released and used for decryption, desire to note that fact.
These procedures do not create, and are not intended to create, any substantive
rights for individuals intercepted through electronic surveillance, and noncompli-
ance with these procedures shall not provide the basis for any motion to suppress
or other objection to the introduction of electronic surveillance evidence lawfully ac-
quired.
Authorization procedures for release of encryption key components in conjunction
with intercepts pursuant to FISA
The following are the procedures for the release of escrowed key components in
conjunction with lawfully authorized interception of communications encrypted with
a key-escrow encryption method. These procedures cover all electronic surveillance
conducted pursuant to the Foreign Intelligence Surveillance Act (FISA), Pub. L. 95-
511, which appears at Title 50, U.S. Code, Section 1801 et seq.
(1) In each case there shall be a legal authorization for the interception
of wire and/or electronic communications.
(2) In the event that federal authorities discover during the course of any
lawfiilly authorized interception that communications encrypted with a key-
escrow encryption method are being utilized, they may obtain a certification
from an agency authorized to participate in the conduct of the interception,
or from the Attorney General of the United States or designee thereof Such
certification shall
(a) identify the agency participating in the conduct of the interception
and the person providing me certification;
(b) certify that necessary legal authorization has been obtained to con-
duct electromc surveillance regarding these communications;
(c) specify the termination date of the period for which interception has
been autnorized;
(d) identify by docket number or other suitable method of specification
the source of the authorization;
(e) certify that communications covered by that authorization are being
encrypted with a key-escrow encryption method;
(f) specify the identifier (ID) number of the key-escrow encryption chip
providing such encryption; and
(g) specify the serial (ID) number of the key-escrow decryption device
that will be used by the agency participating in the conduct of tne intercep-
tion for decryption of the intercepted communications.
(4) This certification shall be submitted to each of the designated key
component escrow agents. If the certification has been provided by an agen-
cy authorized to participate in the conduct of the interception, a copy shall
be provided to the Department of Justice, Office of Intelligence Policy and
Review. As soon as possible, an attorney associated with that office shall
provide each of the key component escrow agents with written confirmation
of the certification.
(5) Upon receiving the certification, each key component escrow agent
shall release the necessary key component to the agency participating in
the conduct of the interception. The key components shall be provided in
a manner that assures they cannot be used other than in conjunction with
the lawfully authorized electronic sxirveillance for which they were re-
quested.
(6) Each of the key component escrow agents shall retain a copy of the
certification, as well as the subsequent written confirmation of the Depart-
ment of Justice, Office of Intelligence Policy and Review.
(7) Upon, or prior to, completion of the electronic surveillance phase of
the investigation, the ability of the agency participating in the conduct of
138
the interception to decrypt intercepted communications shall terminate, and
such agency may not retain the key components.
(8) The Department of Justice shall, in each such case,
(a) ascertain the existence of authorizations for electronic siu-veillance
in cases for which escrowed key components have been released;
(b) ascertain that key components for a particvilar key-escrow
encryption chip are being used only by an agency authorized to participate
in the conduct of the interception of communications encrypted with that
chip; and
(c) ascertain that, no later than the completion of the electronic surveil-
lance phase of the investigation, the abiUty of the agency participating in
the conduct of the interception to decrypt intercepted communications is
terminated.
(9) Reports to the House Permanent Select Committee on InteUigence and
the Senate Select Committee on Intelligence, pursuant to Section 108 of
FISA, shall, with respect to any order for authorized electronic surveillance
for which escrowed encrjrption components were released and used for
decryption, specifically note that fact.
These procedures do not create, and are not intended to create, any substantive
rights for individuals intercepted through electronic surveillance, and noncompli-
ance with these procedures shall not provide the basis for any motion to suppress
or other objection to the introduction of electronic surveillance evidence lawfully ac-
quired.
Answers to Questions From the Senate Subcommittee on Technology and
Law to NIST
Question 1. How long has the key escrow encryption standard been in develop-
ment? Which agency originated these concepts?
Answer 1. The concept of key escrow has been in development, as a solution to
meeting the needs for information protection while not harming the government's
ability to conduct lawful electronic surveillance, for about five years. The final devel-
opment and approval process of the Escrowed Encryption Standard (Federal Infor-
mation Processing Standard 185) began following the President's decision an-
nounced on April 16, 1993. The concepts were developed at the National Security
Agency, in response to requirements oi law enforcement agencies and following dis-
cussions with NIST.
Question 2. Before NIST recommended the key escrow encryption method for
nonclassified information, did it consider commercially-available encryption meth-
ods? If so, why were they rejected?
Answer 2. The voluntary key escrow encryption chip was developed specifically be-
cause no other products, commercial or otherwise, met the needs of the government
for protecting its sensitive information in voice grade telephone communications
while at the same time protecting its lawful electronic surveillance capabilities.
Question 3. The Administration recently established an interagency Working
Group on Encryption and Telecommunications "to develop new encryption tech-
nologies" and "to review and refine Administration policies regarding encryption."
Is this Group reviewing the Clipper Chip program?
Answer 3. This group is momtoring on-going development of the voluntary key es-
crow encryption initiative (e.g., alternative methods, better implementations, etc.).
It is not reviewing the President's decision to commit the government to promote
voluntary key escrow encryption for voice grade telephone communications.
Question 3.1. Has this Working Group yet recommended any changes to the Clip-
per Chip program? If so, what are those recommendations?
Answer 3.1. The Working group continues to pursue voluntary key escrow
encryption technologies — and stands ready to work with interested industry firms
to do so. It has not recommended any specific changes to the current program.
Question 3.2. What refinements to the Clipper Chip program is this Group consid-
ering?
Answer 3.2. It is examining organizations outside the CabinetDepartments to
serve as alternative escrow agents. It is also examining issues involving inter-
national law enforcement cooperation on voluntary key escrow encryption matters.
Question 3.3. When will this Working Group complete its review of the Clipper
Chip program?
Answer 3.3. While there is no re-examination of the Administration's commitment
to the key escrow encryption initiative, the review of its implementation will likely
139
continue for some time. This reflects the need to monitor both the voluntary key
escrow encryption program and other encryption developments.
Question 4. NIST is supposed to be leading efforts to work with industry to im-
prove on the key escrow chips, to develop a key-escrow software and to examine al-
ternatives to Clipper Chip. Could you describe NIST's progress on each of these
three tasks? Specifically, what are the improvements and alternatives to CUpper
Chip that NIST is considering?
Answer 4. The key escrow encryption software working group, which includes sev-
eral industry representatives, has met several times to:
1) Specify and structure the problems to be solved;
2) Study the overall system integrity requirements for an acceptable solution;
3) Develop and list criteria for evaluating alternative proposed solutions; and
4) Begin defining software-based alternatives to the voluntary CUpper Chip key
escrow system.
This research work can reasonably be expected to last at least two-three years.
Regarding hardware improvements, no working group has yet been formed, but
the Administration has repeatedly expressed its mlnngness to work with interested
industry participants to develop improvements and alternatives.
Question 5. The Defense Authorization Bill for Fiscal vear 1994 has authorized
$800,000 to be spent by the National Research Council of the National Academy of
Sciences to conduct a two-year study of federal encryption poUcy. Do you think this
study is necessary?
Answer 5. While we believe that the Administration's review of these issues was
thorough, this study may identify new approaches for privacy while preserving law-
ful electronic surveillance capabilities which would be useful. The NRC's report will
receive careful study.
Question 5.1. Why is the Administration not waiting to implement its key escrow
encryption proCTam until the National Research Council's study is completed?
Answer oil. The Administration's key escrow encrjrption initiative was announced
on April 16, 1993, over seven months before the enactment of the National Defense
Authorization Act for FY-94, which authorized the NRC study. The NRC study,
which will consider issues substantially broader than those involved in key escrow
encryption, will not be completed for at least two more years. The Administration's
voluntary key escrow encryption initiative seeks to ensure that in setting new fed-
eral standards, lawful electronic surveillance capabilities are not undermined. De-
lajdng our standeirds would harm federal agencies' capabilities to protect their infor-
mation. Setting good encryption standards without key escrowing would harm law-
ful surveillance capabilities.
Question 5.2. Should this study be expedited?
Answer 5.2. NIST is not participating directly in the study, which is not yet un-
derway. We do not know whether the study could be expedited without diminishing
its thoroughness and accuracy.
Question 6. The Government wants the key escrow encryption standard to become
the de facto industry standard in the United States, but has assured industry that
use of the key escrow chips is voluntary. Would the Government abandon the Clip-
per Chip program if it is shown to be unsuccessful beyond Government use?
Answer 6. The key escrow encryption initiative successfully provides for excellent
protection of federal information (and that of other users), without undermining the
ability of law enforcement to conduct lawful electronic surveillance. Since it meets
these goals successfully, the Escrowed Encryption Standard will continue to be a
highly satisfactory method of protecting sensitive federal information and, therefore,
should remain in effect regardless of its level of adoption within the private sector.
Question 7. If a user first encrypts a message with software using DES, and then
transmits the message "double encrypted" with a key escrow chip, can you tell from
looking at the cipher, or encrypted text, that the underlying message was
encrypted?
Answer 7. No. The only way to tell that a message has been "double encrypted"
in this way would be to decrypt the "outer layer" of encryption (i.e., that done with
CUpper). Only then would one be able to teU that the message had first been
encrypted with something else.
Question 8. Capstone is the Skipjack implementation for use with data transmit-
ted electronically. Has the Capstone chip been incorporated in any product currently
being marketed? When will the Capstone chip be released?
Answer 8. Capstone chips are just now becoming available. The Capstone chip is
being incorporated into a personal computer memory card ("PCMCIA card") for use
in providing security for sensitive government information in the Defense Message
System. This is the only product actually in production using Capstone. The Cap-
140
stone chip technically can be used for many security applications, not just computer
data.
Question 9. As computer and telecommunications technology advances, we are
able to send more information at higher speeds. The speed and reliability of our
telecommunications infrastructure gives American businesses the necessary edge in
our global marketplace. The specifications for CUpper Chip indicate that it is de-
signed to work on phone systems that transmit information no faster than 14,400
bits per second or on basic-rate ISDN lines, which transmit information at about
64,000 bits per second. Do the Clipper and Capstone Chips work fast enough for
advanced telecommunications systems? Will Clipper Chip be able to keep up with
the increasing speeds of telecommunications networks? Can the Skipjack algorithm
be "scaled" to work at higher speeds?"
(See combined answer to questions 9 and 10 below.)
Question 10. Other commercially available encrvption methods, like the Data
Encryption Standard, have encryption rates much higher than CUpper Chip. Cur-
rent high speed DES processors have encryption rates of approximately 200 million
bits per second, which dwarfs the Clipper Chip's maximum throughput of 15 million
bits per second. How will the Clipper Chip technology be able to compete with other
encryption methods tiiat can keep up with the higher speeds of emerging tech-
nologies?
Combined answer to Questions 9 and 10. The Clipper Chip as a hardware device
was specially designed for end-to-end encryption of^ low-speed applications such as
digitized voice. It is more than fast enough for this purpose, even if encrypted traffic
is carried on the most advanced, high-speed telecommunications backbones. Cap-
stone also was designed for end-to-end encryption of user data. Neither CUpper nor
Capstone was designed to perform bulk encryption of high-speed telecommuni-
The Skipjack algorithm, Uke the DES algorithm, is suitable for use at much high-
er speeds than implemented in CUpper and Capstone, and Skipjack-based hardware
can be designed for higher-speed Unk-encryption applications as the need arises. As
the speeds of the newest telecommunications technologies continue to grow, new kev
escrow devices will be developed as needed. Key escrow encryption technology will
be able to compete with most other encryption methods for very high-speed appUca-
tions.
Question 11. The Administration has assured industry that the key escrow tech-
nology will be enhanced to keep pace with future data requirements. What is the
Administration doing to develop key escrow technology that can work with emerging
high-speed communications tecnnologies?
Answer 11. The Administration is working to identify needs for higher-speed ap-
pUcations of key escrow technology and wiU work to develop key escrow encryption
devices to meet those needs. The technology for escrowing keys is readily adaptable
to emerging high-speed applications.
Question 12. Openly avaUable devices, such as Intel-compatible microprocessors,
have seen dramatic gains, but only because eveirone was free to try to build a bet-
ter version. Given the restrictions on who can build key escrow encryption chips,
how wiU these chips keep up with advances in semiconductor speed, power, capacity
and integration?
Answer 12. Despite the requirements that a firm must meet to produce key es-
crow encryption chips, we expect that there will be a number of manufacturers com-
peting against each other to produce the best product, and that such competition
will (frive them to keep up with the latest technological advances. It is worth noting
that only a few companies can produce the sophisticated microprocessors you ref-
erence, yet the competition in that market has driven them to achieve remarkable
advances in that technology.
Question 13. NIST estimates the cost of estabUshing the key escrow faciUties to
be $14 milUon and the cost of operating the key escrow facilities will be about $16
milUon annually. What is your statutory authority for these expenditures?
Answer 13. Under the Computer Security Act of 1987, NIST is responsible not
only for developing Federal Information Processing Standards for the protection of
sensitive federal government information, but also for providing assistance in using
the Standards and applying the results of program activities under the Act.
Most directly appUcable are sections 278g-3(b) (1) and (3) of title 15 of the U.S.
Code. Subsection (3) authorizes NIST to provide technical assistance in implement-
ing the Act to operators of federal systems. Subsection (1) authorizes NIST to assist
the private sector in "using and applying" the results of NIST's programs under the
Act, thus showing that the scope of the assistance authorized by the Act includes
help in applying the standards NIST develops. This section indicates that NIST may
141
provide technical assistance to the private sector rather than just to the federal
agencies that must comply with the standards.
Question 14. What has been spent to date on Skipjack, Capstone and Clipper
Chip?
Answer 14. NIST's FY-94 expenditures through the end of April are approxi-
mately $268,000. FY-93 expenditures regarding the Clipper Chip and key escrow
encryption technologies involved a significant portion of NIST's computer security
budget, specifically the level of resources devoted to this technology was approxi-
mately four years of professional staff time and travel expenses of about $10,000.
NSA will provide their funding information separately to the Committee.
No cost figure can be assigned to the NSA's development of the SKIPJACK algo-
rithm, in part because it was developed as a family of classified algorithms over a
period of years.
Question 15. NIST has explained that the single company manufacturing the CUp-
per Chips was selected because of its expertise in designing custom encryption
chips, as well as its secure facilities and employees with nigh security clearances.
How long will it take for the Government to certify another vendor of Clipper Chip?
What progress, if any, has the Administration mad,e on finding another vendor?
Answer 15. Several firms have expressed interest in becoming vendors of key es-
crow encryption chips. So far, one of these (other than the current company) has
demonstrated that it has the technical expertise, secure facihties, and cleared per-
sonnel necessary to do the job. We expect that this firm would be able to commence
production by early 1996.
Question 16. Once a given chip has been compromised due to use of the escrowed
keys, is there any mechanism or program to re-key or replace compromised hard-
ware? Is there any method for a potential acquiring party to verify whether the keys
on a given chip have been compromised?
Answer 16. It should be emphasized that release of escrowed key components to
law enforcement agencies for use in conjunction with lawfully authorized electronic
surveillance does not constitute compromise of the particular chip associated with
those key components. Upon completion of electronic surveillance, the law enforce-
ment agency's abiUty to decrypt communications with the particular chip ends, and
therefore, those communications again become undecryp table unless and until the
key components are released once more. There is no way to re-key chips for which
escrowed keys have been used. If a chip could be re-keyed, it might be possible for
users to replace the chip unique key, thus defeating the law enforcement access
field. 'The hardware can be replaced with new hardware for which keys have not
been released from escrow.
Question 17. The Skipjack algorithm itself is classified, but the halves of the keys
held by the escrow agents cannot be since they will be released upon presentation
of a court order. Will the databases maintained by the escrow agents to hold the
keys be subject to the Freedom of Information Act? What exception will you rely
upon to justify withholding requests for information under FOIA?
Answer 17. As a matter of clarification, it should be noted that the key compo-
nents are not themselves part of the SKIPJACK algorithm, nor do they, in combina-
tion with each other or with any other group of binary numbers, generate the algo-
rithm, or provide any information regarding its characteristics.
We understand your question regarding the Freedom of Information Act as relat-
ing to the electronically stored key components held by NIST as an escrow agent,
which information associates each particular chip-unique ID number with one of the
components of its unique key. Release of these key components would permit a
FOIA requestor to circumvent the protections that NIST is required to develop and
promulgate as Federal Information Processing Standards under the Computer Secu-
rity Act of 1987 (P.L. 100-235). Under 5 U.S.C. 552(b)(2), agencies are authorized
to withhold information the disclosure of which would risk the circumvention of a
statute or agency regulation. Therefore, the key escrow materials are protectible
under 5 U.S.C. 552(b)(2).
Question 18. Normal secvirity procedures involve changing cryptography keys peri-
odically, in case one has been compromised. For example, those of us who use E-
mail systems are accustomed to periodically changing our password for access to the
system. But Clipper Chip's family and unique key cannot be changed by the user.
If these keys are compromised, it will not matter how frequently the user changed
their session keys. Does the long use of the same family and unique keys increase
the likelihood that these keys will be compromised while they are still in use? Does
this eliminate a significant degree of the user's control of the level of security that
the system provides?
Answer 18. No. As discussed in the answers to other questions, access to the key
escrow components will be highly controlled. In addition, these components them-
142
selves will be encrjrpted. Extensive audit procedures have been designed into the
system to guard against any unauthorized access. Given these and other extensive
protections, it is very unlikely that long use of the same chip unique or family key
will have any negative impact upon users' security.
Question 19. How secure is the Clipper Chip if someone gets unauthorized access
to half the key?
Answer 19. Knowledge of only one key component provides no information about
the chip unique key and, therefore, does not in any way harm the security of the
user.
Question 20. Every Clipper Chip has the same Family Key programmed into it.
When conversations encrypted with Clipper Chip are intercepted, this Family Key
is used to decode the intercepted serial number, or unique identifier, which the tar-
geted chip transmits at the beginning of every conversation. With the serial number,
the law enforcement agency can get the government set of key components from the
escrow agents. Who has access to the Chip Family Key? Is it going to be distributed
to all law enforcement agencies so they can quickly decipher serial numbers of chips
that may become the target of a wiretap order? Will the Chip Family Key be pro-
tected in any way and, if so, how?
Answer 20. With respect to the first question, access to the family key is very
closely held. The family key is the combination of two binary numbers independ-
ently and randomly generated and held, respectively, by the Department of Justice
and the FBI. The combined family key is held under tightly controlled conditions
in a dual-control safe at the programming facility for use in the programming proc-
ess. When needed for a programming run, the family key is extracted from storage
by specially designated employees of the programming facility, in the presence of
representatives of the escrow agents, and entered into the programmer. At the end
of a programming run, the programmer is again cleared of the family key. In addi-
tion, the family key is programmed into all law enforcement decrypt processors to
discern the particular chip ID number when necessary.
With respect to the question regarding availability of the family key, the foregoing
explanation indicates the extraordinary limitations on access to the family key.
Agencies desirous of learning whether a particular communication is encrypted with
key escrow encryption and, if so, learning the particular chip ID number will have
access to the family key only as programmed into the decrypt processor. This may
require a particular agency not possessing such a processor to provide to an agency
that does hold one the communications suspected of being encrypted, so that the im-
tial determination can be made. It should be emphasized, however, that an agency's
determination of whether communications are being encrypted, and of the ID num-
ber of the chip performing the encryption, would occur in conjunction with the con-
duct of a lawmlly authorized surveillance — not, as the question may imply, as part
of activities preceding such authorization. Further questions on the protection of the
family key are best directed to the U.S. Department of Justice.
Question 21. The Chip Family Key is built into the chip when it is programmed
and cannot be changed. In the event that someone got unauthorized access to the
Chip Family Key, what could that person do with it?
Answer 21. In the very unlikely event that someone were able to gain access to
the family key and were able to figure out a means to use it, the only information
that could be obtained would be the serial numbers of the EES devices used for a
telecommunication. Of course, intercepting such a telecommunication without lawful
authorization would be a felony offense.
Question 22. CUpper Chip design data will need to be released to manufacturers
in order for them to incorporate the chip into security devices. How will we be as-
sured that this design information, in itself, will not allow the key escrow chips to
be compromised?
Answer 22. The only design data which will need to be released to manufacturers
of devices using the chip are its interface specifications, such as size, power require-
ments, data input, and the like. None of these data can in any way be used to deter-
mine the encryption algorithm or any other information affecting the security of the
encryption.
Question 23. A decrypt device will be used to receive an electronic transmittal of
the two key halves from the escrow agents. The decrypt device will then be able
to decrypt the intercepted message, until the wiretap authorization ends, when it
will automatically turn itself off". How many of these decrypt devices will be built?
Will the decrypt devices be maintained in a central secure facility? If so, who will
maintain custody of the devices and how will they be distributed to the law enforce-
ment agencies that need them?
Answer 23. Termination of a decrypt processor's ability to decrypt communications
using a peirticular key escrow chip is a fundamental protection built into the system
143
and law enforcement agencies that have received key components will be required
to certify such termination. In the prototype model of the decrypt processor, that
termination is effected manually; automatic termination will be available in later
versions.
The number of decrypt processors that will ultimately be produced will probably
be in large measure a function of the number of key escrow equipped devices in use
throughout the country and the number of times key escrow encryption is encoun-
tered in the course of wiretaps. For the foreseeable future, when it is Ukely that
the number of decryption processors will be small, it is likely that they would be
centrally held by the FBI, to be made available for use in the field on an as-needed
basis.
Question 24. The key escrow approach is designed to ensure the ability of the
American government to access confidential data. What would make key escrow
chips manufactxired in America an attractive encryption method for foreign cus-
tomers?
Answer 24. The key escrow initiative was undertaken to provide users with robust
security without undermining lawfully authorized wiretaps. This point is important
to emphasize as the market for this product very much depends on who users per-
ceive as a threat to intercept their communications. The potential export meirket for
encryption products can be divided into two categories: exports for foreign govern-
ment use and exports for non-government use. The most likely government users
of commercial encryption products would be countries that have a relatively low de-
gree of technical sophistication, lack other resources necessary to develop their own
encryption products, and do not perceive the United States as a primary threat.
Such countries might be primarily concerned about access to their communications
by neighboring countries, terrorists, criminal elements, or domestic poUtical oppo-
nents. Such government users might view a wUnerabihty to possible eavesdropping
by the United States as a price worth paying in return for security against those
more immediate threats. However, we do not expect such users to constitute a major
export market for key escrow encryption products.
The non-government sector represents a much greater potential export market for
key escrow encryption products. While some prospective users abroad may steer
clear of key escrow products because the United States will retain access, there may
be many who believe they are unlikely to be targeted by U.S. intelligence in any
case or for whom the superior security offered by key escrow encryption products
against threats of greater concern may make key escrow products an attractive op-
tion. (For example, a distributor of pay-TV programming may depend on encryption
to ensure that only those viewers who pay for the service can decrypt the TV signal.
Such a distributor probably would not be concerned about the threat of access by
the United States Grovemment, and might favor koy escrow encryption over compet-
ing products that use weaker encryption algorithms.) In addition, others may be at-
tracted to key escrow encryption products in part by the need to interoperate with
other users of such products, especially businesses in the United States.
Question 25. If key escrow chips are not commercially accepted abroad, and export
controls continue to restrict the export of other strong encryption schemes, is the
U.S. Government limiting American companies to a U.S. market?
Answer 25. U.S. firms nave long been major players in the international commer-
cial encryption market despite export controls on encryption products. We do not im-
pose a blanket embargo on products which encrypt data or voice. Encryption prod-
ucts undergo a one-time technical review, the results of which are used in decisions
as to whether a given product can be exported to particular end users consistent
with U.S. interests. Afler the one-time review, products are given expedited licens-
ing treatment. Some are licensed for export to virtually all end users. Some products
are licensed less widely. Overall, over 95% of export license applications for
encryption products are approved. Any encryption product can be exported by U.S.
businesses for use in their facilities abroad. In addition, the President recently di-
rected that a number of changes be made in the Licensing process to expedite Licens-
ing and to ease the regulatory burden on exporters. In short, we have every reason
to expect that the U.S. will continue to be a major exporter of commercial encryption
products, regardless of the commercial success of key escrow encryption products.
Question 26. Is the key escrow encryption system compatible with existing
encryption methods in use?
Answer 26. As is true among devices using different algorithms (e.g., DES, RSA,
RC4, etc.) key escrow encryption products will not interoperate with other products
using a different algorithm. Note also that many commercial products that use the
same algorithm do not interoperate due to other constraints (e.g., transmission
rates, voice-digitization process, other protocols, etc.).
144
Question 27. As part of NIST's continuing review of the key escrow encryption
scheme, is NIST considering any new encryption approach that wovild be compatible
with the embedded base of equipment?
Answer 27. No new approaches are being considered with the specific goal of com-
patibility with some installed devices. Note that no encryption approacn would be
consistent with the entire installed base of equipment. It is too widely varied.
Question 28. Critics of U.S. export restrictions on strong encrjrption technology
argue that these restrictions have the effect of reducing the domestic availability of
user-friendly encryption, which could otherwise be routinely incorporated in soft-
ware and telecommunications equipment. What is the Administration's response to
this criticism?
Answer 28. We do not believe that export controls have reduced the domestic
availability of encrsrption. Encrjrption products have been commercially available in
this country for a long time, especially since the adoption of the Data Encryption
Standard (DES) as a Federal Information Processing Standard in 1977. However,
demand for such products has been Umited, with government purchases comprising
the bulk of the encryption market. As pubUc interest in and understanding of the
need for security increases, we are moving aggressively to make available to the
public, on a voluntary basis, the voluntary key escrow encryption technology needed
to provide strong encryption without sacrificing the public's interest in effective law
enK)rcement. Far from reducing the domestic availability of encryption, government
actions, from adopting the DES standard to development of key escrow encryption
technology, and even in driving the market during the years when there was little
commercial interest, have greatly increased the domestic availability of encryption
products, rather than reducing it.
Answer to a Question From Senator Patty Murray to NIST
Question 1. In my office in the Hart building this February, I downloaded from
the Internet an Austrian program that uses DES encryption. This was on a laptop
computer, using a modem over a phone line. The Software Publishers' Association
says there are at least 120 DES or comparable programs worldwide. However, U.S.
export control laws prohibit American exporters from selling comparable DES pro-
grams abroad. With at least 20 million people hooked up to the Internet, how do
U.S. export controls actually prevent criminals, terrorists or whoever from obtaining
DES encryption software?
Answer 1. On the matter of export controls on encryption software (including
DES), NIST defers to the National Security Agency, which, we understand, has been
asked the same question.
Answer to a Question From Senator Larry Pressler to Raymond Kammer,
Deputy Director, NIST
Question 1. NIST has approved the use of the Clipper Chip as the federal stand-
ard for encoding federal communications involving sensitive but unclassified infor-
mation. Is there a reason why the Clipper Chip is not approved for classified infor-
mation as well? If so, please explain.
Answer 1. The National Security Agency approves encryption systems for the pro-
tection of classified information, and is considering approval of Clipper for selected
classified applications. The encrjT)tion algorithm used in the Clipper Chip, called
SKIPJACK, is one of a family of encrjrption algorithms developed by NSA for use
in protecting classified information.
Answers to Questions From the Senate Subcommittee on Technology and
THE Law to Whitfield Diffie
Question 1. The serial number, or unique identifier number, for each key escrow
chip is sent out as a header on each encrypted communication. If the Government
just wanted to know where I was and not what I was sajdng, would it be possible
for the Government to track down the header on my communications and figure out
where I was from where I was sending out my encrypted messages? Could you ex-
plain how this would be possible? Do you have concerns about this?
Answer 1. The serial number is contained in a block encrypted with the Family
Key and is thus accessible only to those who can obtain the Family Key. This point
is discussed further in the response to question 8.
Concealing the gross characteristics of messages (existence, timing, length, origin,
destination, etc.) is typically more difficult to achieve by end-to-end techniques
145
(those that operate only in the user's equipment) than concealing their contents. In
modem telepnone systems the called and calling nvimbers of phone calls are typi-
cally easy to get at. (This is what makes possible the controversial Caller-ID serv-
ice.) In electronic mail — even encrypted electronic mail — this information is nor-
mally contained in the message headers. In the case of cellular telephones, the par-
ticular characterists of the phone as a radio (Emitter ID) can be detected and used
to distinguish among indiviaual phones.
In short, although preventing interceptors from detecting serial numbers would be
one necessary step in preventing tracking, that task is quite difficult and serial
numbers may not oe the most critical element.
Question 2. NIST has stated that "industry interest in developing seciu-e software
based on key escrow encryption is minimal. Is that a correct assessment and, if so,
could you explain why?
Answer 2. NIST's statement is unfamiliar to me, but certainly accords with my
experience. We do not perceive oiir customers as wanting escrowed encryption, so
why would we want to develop software around it? There are de facto industry
standards growing up around public key and multiple-DES. I suspect I speak for
a broad segment of tne industry in sajdng that we prefer to develop software based
on pubUcly known techniques that are receiving acceptance from our customers.
Question 3. In a speech last month at a telecommunications conference in Buenos
Aires, Vice President Gore described his vision for a global information network to
Unk the people of the world and provide a global information marketplace. How
would the electronic information flow between countries be effected if other coun-
tries wiU not let Clipper Chip in?
Answer 3. At present most internet traffic, Uke most of the world's communica-
tions, is unencrypted. It is the belief of those of us who support improvement of tele-
communication seoirity that the developing information infrastructvu-e will not be
able to serve its function adequately unless it is made more secure. Since the net-
work— Uke the world economy — is international, worldwide interoperability stand-
ards are required. Security products that are the exclusive property of one country,
or even a small group, of countries, would appear to have no possibility of fulfilling
this function.
Question 4. We are market leaders in applications software and operating sys-
tems. Our world leadership in operating systems is dependent on integrating secu-
rity in internationally distributed systems. If overseas companies provide systems
based on algorithms without key escrow schemes that encrypt faster and more se-
curely, how will we compete internationally?
Answer 4. If overseas companies produce operating systems and application pro-
grams based on security mechanisms that cannot be exported from the Umted
States, the U.S. software business will surely suffer.
Question 5. The National Security Agency has stated that "many non-key escrow
encrjrption products have long been licensed for export * * * [and] * * * will continue
to be * * *. " Do you share this view that many American encryption products are
freely licensed for export?
Answer 5. You have quoted NSA as saying that products "have been licensed for
export" and "will continue to be." They have said nothing about "freely." In our ex-
perience it is often difficult and time consuming to get export licenses in secure com-
munications and related areas even when there are comparable foreign products or
when licenses have previously been granted for similar shipments.
The history of export licenses, however, is a question of facts not of views and
these are facts to which I have Uttle access. The question points up an issue that
should be high on the export reform agenda: An opening up of the export control
process that creates a written public record of export control policies and decisions.
Question 6. The Administration has stated that the Skipjack algorithm in the
Clipper Chip must remain classified and only specially certified vendors will be
given access to it. By contrast, openly available devices, such as Intel-compatible
microprocessors, have seen dramatic gains, but only because everyone was free to
try to build a better version. Given uie restrictions on who can build Clipper de-
vices, do you have any concerns about how CUpper will keep up with advances in
semiconductor speed, power, capacity and integration?
Answer 6. I do, but these concerns are merely part of a larger concern. If the
semi-conductor industry becomes dependent on parts available only on the suffer-
ance of the government, it will no longer be free to make and carry out basic busi-
ness decisions.
Should NSA (which appears to have control of the technology and the supply of
parts despite the fact that key escrow is a Department of Commerce standard) de-
cide to cease authorizing the production of clipper chips, industry would no longer
be able to ship products interoperable with those sold earlier.
146
When Digital Equipment Corporation concluded some years ago that a very high
speed DES device might be needed, it developed one internally using Gallium Arse-
nide technology. Should a semi-conductor manufacturer decide that a similar high-
speed SKIPJACK chip was reqviired it would need NSA's concurrence and coopera-
tion to go ahead with the product. Under these circumstances, it might be blocked
because NSA did not have any way of tamper proofing a sufficiently fast design. It
should also be noted that such developments could be blocked or delayed even when
they were completely in accord with government policy and objectives, because of
lack of government funds, personnel, or other resources.
Question 7. The Administration has assured industry that the key escrow tech-
nology will be enhanced to keep pace with future data requirements. Are you aware
of anything the Administration is doing to develop key escrow technology that can
work with emerging high-speed communications technologies?
Answer 7. It is my understanding that a high speed algorithm called BATON is
under development, but I have no further information.
Question 8. Every CUpper Chip has the same Family Key programmed into it.
This Family Key is used by law enforcement to decode an intercepted serial number,
or unique identifier, that is transmitted at the beginning of every encrypted con-
versation. The law enforcement agency presents this serial number to get the decod-
ing keys from the escrow agents. In the event that someone got unauthorized access
to the Chip Family Key, what could that person do with it? Do you have any con-
cerns about who will have access to the Chip Family Key?
Answer 8. Although the administration seems to be saying that the Family Key
will be very tightly controlled, it is traditional COMSEC doctrine that nothing that
remains constant for a long period of time can be expected to remain secret. This
is the view under which cryptographic systems are always presumed to be known
to an opponent.
Possession of the family key, together with the LEAF creation method, would
allow an opponent to identify individual cryptographic chips as discussed under
question 1. It would also bring an opponent one step closer to recovering Chip
Unique Keys, as described in my testimony, and thus having potential access to all
past and future messages encrypted by particular chips.
Question 9. The Internet Privacy Enhanced Mail (PEM) is becoming an inter-
nationally recognized system for encrypting Electronic Mail over the Internet. If the
Administration is successful in making the Skipjack key escrow system an American
standard for encrypting electronic mail while the rest of the world uses PEM, how
would this effect encrypted E-mail traffic between the U.S. and other countries?
Answer 9. I don't know how widely PEM is used at present, either inside or out-
side the U.S. PEM, in contrast to its competitor Pretty Good Privacy or PGP, has
a rigid certificate structure that requires the construction of certification hierarchies
and registration of users. The effect is to require top down adoption of PEM rather
than promoting its free spread among users. This has slowed its "market penetra-
tion." PEM is also export controlled, although I have been told there are non-U.S.
implementations. „ ^ ■, ■ r>T^n/r
At present only the DES/RSA combination of cryptosystems are reflected in PEM
standards. PEM is potentially flexible, however, attaching labels to messages that
indicate the cryptosystem in use. (Sun's implementation, for example, allows alter-
nate cryptosystems.) There has been discussion of expanding PEM to allow triple
DES and a key escrow based version seems equally possible.
Nonetheless, if a multiple DES and RSA version of PEM is widely used outside
the U.S. and a key escrow version is used within, this will present a major barrier
to secure communications between American and foreign companies.
Question 10. Is the demand for strong encryption technology growing and, if so,
why?
Answer 10. It is hard to distinguish a demand for strong encryption from a de-
mand for encryption period. It is, after all, rare for someone to want weak
encryption. Usually it is accepted because strong encryption is too expensive or oth-
erwise unavailable. The long history of scrambled (weakly analog encrypted) tele-
phones, for example, was a result of the high cost of digitizing the sound so that
it could be strong^ encrypted. ^, . , . , • ^v *
That said, the demand for encryption is growing. The fundamental reason is that
as the quahty of communication networks improves, the value of the traffic they
carry increases. At one time long distance telephone calls were too expensive and
too poor in quality to be used for anything more than making appointments or get-
ting quick answers to questions. Today, entire business meetings are conducted by
phone. The growth in quality and cost performance of written electronic commumca-
tions has been even greater and has lead to important and sensitive message being
147
transmitted by fax or electronic mail. Today, most of these messages go without "en-
velopes." That is what encryption provides.
Sun Microsystems Computer Corp.,
Mountain View, CA, May 23, 1994.
Hon. Patty Murray,
Committee on the Judiciary,
U.S. Senate, Washington, DC.
Dear Senator Murray: I very much appreciate the opportunity to respond to
your question:
Question 1. In my office in the Hart building this February, I downloaded from
the Internet an Austrian program that uses DES encryption. This was on a laptop
computer, using a modem over a phone Une. The Software Publishers' Association
says there are at least 120 DES or comparable programs worldwide. However, U.S.
export control laws prohibit American exporters from selling comparable DES pro-
grams abroad.
With at least 20 miUion people hooked up to the Internet, how do U.S. export con-
trols actually prevent criminals, terrorists or whoever from obtaining DES encrjrpted
software?
Answer 1. I have considered this issue with some care and I believe the answer
lies in the critical dependence of the adoption of security measures on their ease
of use.
No matter how obvious the need for communication security is to those of us who
work in the field, it is difficult to sell. The reason for this is that communications
intelligence is rarely visible to its target. Even if a company finds that it is repeat-
edly loosing bids by small margins to a single competitor, discovering whether the
vulnerability is in communications or procedures or personnel is very difficvdt.
Under the circumstances, selling secure communications is much like selling insur-
ance against a disaster that the customer cannot see.
The resvdt is that users tend to avail themselves of secure communications only
when security is built in as an automatic function that does not interfere with their
work or require their attention. The availabihty of a cryptographic program that is
not integrated into an application is useful only to those already dedicated to the
practice of security. For these people, converting the Federal Standard for DES or
some similar algorithm specification into a program is a small part of the job.
Consider for example, someone who is writing many drafts of a report and keep-
ing them encrypted by using a file encryption program separate from the word proc-
essor. The writer must not only remember to reencrypt the file after each editing
session, but if the word processor leaves unintended copies around on the disk, must
run a disk cleaning program as well. Any sUp-up potentially leaves the docvunent
vulnerable to compromise and similar examples present themselves in communica-
tion.
What NSA fears is a Sun or Microsoft or DEC operating system with encryption
built in in such a way that after an initial log-in, all security is provided trans-
parently for the user. This might, for example, support an application allowing peo-
ple at remote locations to work jointly on a document. All drafts would be commu-
nicated encrypted without the writers having to do anything.
The answer to your question is thus twofold. The U.S. export controls probably
do not prevent criminals or terrorists who are attentive to security from getting ac-
cess to encryption software. They may, for a time, prevent these people from getting
what honest business people want: Encryption software that functions automatically
and invisibly in thefr operating systems and supports a variety of application pro-
grams in a consistent way.
From a communications intelligence viewpoint, NSA's fear is rational. Because the
software marketplace is international, however, the effect of export controls has
been to stifle the development of security in operating systems. Companies whose
markets are frequently more than half foreign are loathe to expend resources devel-
oping features that can be sold to only a minority of their customers.
Concern with America's position in international trade is also rational, however.
It seems unlikely that businesses can indefinitely increase their dependence on com-
puters and communications without installing security mechanisms commensurate
with the value of their investments. The secvuity machinery itself will be a small
fraction of the total revenue for computer systems and software, but its smooth inte-
148
gration into operating systems and applications may be the sine qua non of future
market acceptance.
Yours truly,
Whitfield Diffie,
Distinguished Engineer.
Sun Microsystems Computer Corp.,
Mountain View, CA, May 23, 1994.
Hon. Patrick J. Leahy,
Committee on the Judiciary,
U.S. Senate, Washington, DC.
Dear Senator Leahy: I very much appreciate both the opportunity of speaking
before yovu* subcommittee and the opportunity to respond to your questions, the an-
swers to which I have attached to this letter.
As I sat listening to the committee proceedings, I felt a glimmer of hope that the
key escrow proposal might actually be stopped. At the same time I realized that
winning this "fight," should we be so lucky, would not contribute to winning the
larger battle: The battle to improve the security of American business and personal
communications.
For more than a decade, we have been trying without much success to persuade
the public that their communications are worth protecting and that this protection
is worth paying for. In this campaign, we have usually had little support from NSA
and at times we have had active opposition. NSA, however, has a decisive role to
play and the battle probably cannot oe won without it.
NSA is in possession of a vast body of information about both the vulnerabilities
of communications and actual instances of their exploitation. When it is in market-
ing mode, as it was during the mid-nineteen eighties with its STU-III and CCEP
programs, it lends its weight to be view that the communication's of Americans are
being exploited and need protection. When it is arguing against commercial stand-
ards or tne relaxation of export controls, it takes the opposite view.
In undertaking the key escrow program, NSA has put forth a deal. They will lend
both their technical and marketing abilities to the development of a new generation
of widely available securitv equipment. The condition is the key escrow. Most of
NSA's budget goes to intelligence and intelligence demands its cut. Should the key
escrow program be stopped, it seems likely that we will return to a situation in
which industry must try to persuade the public of the need for seciuity over NSA's
opposition or at best in the face of its indifference.
I suggest, therefore, that should Congress choose to take over the reigns of policy
in this area, it will not be sufficient to end the Administration's venture into key
escrow. It will be necessary to insist that protecting the communications of all
Americans be put foremost among NSA's responsibilities and to mandate NSA's ftill
and unreserved participation in this program.
Yoiirs truly,
Whitfield Diffie,
Distinguished Engineer.
Answers to Questions From the Senate Subcommittee on Technology and
THE Law to Stephen T. Walker
Question 1. The serial number, or unique identifier number, for each key escrow
chip is sent out as a header on each encrypted communication. If the government
just wanted to know where I was and not what I was saying, would it be possible
for the government to track down the header on my commumcations and figure out
where I was from where I was sending out my encrypted messages? Could you ex-
plain how this would be possible? Do you have concerns about this?
Answer 1. It would be relatively straightforward for the government to track the
movement of individuals and the phone numbers of people with whom they are com-
municating using the Clipper key escrow system without the need for a wiretap
court order.
The law enforcement decryption unit that is used to initially detect the use of a
Clipper device contains the "family key" of all CUpper telephone security devices.
This key allows the decryption unit to identify the unique serial number without
any interaction with the key escrow centers. Anyone with access to such a
decryption unit could identify calls from specific Clipper devices without a court
order.
149
Such activity would require access to phone communications facilities that would
normally be associated with court-ordered wiretaps. Access to the decryption unit
would normally be reserved for law enforcement officials [Initially there is only one
such unit, but presumably if Clipper becomes widely used, there will be many avail-
able to law enforcement throughout the country.]
It is important to note that if one does not use a TSD, one's communications are
trivially vulnerable to this same threat today.
Question 2. You are a member of the Computer System Security and Advisory
Board, which was created by the Computer Security Act of 1987 to advise NIST on
computer policy matters. Was this Board consulted by NIST during consideration
of the key escrow encryption standard?
Answer 2. The Board was never consulted "before-the-fact" in any of the Adminis-
tration's announcements on Clipper, the Digital Signature Standard, the Escrow
Encryption Standard or any other matter related to cryptography. In each case the
members of the Board were as surprised as the general public by these announce-
ments.
As was demonstrated in the case of the proposed licensing of the Digital Signature
Algorithm to Public Key Partners last June, the advice of the Board relative to the
cost impact on the general public eventually lead to a reversal of that proposal. Had
the advice of the Board been sought before this proposal was put forwaro, I believe
at least nine months of delay in issuing the Digital Signature Standard could have
been saved. Given that the government has delayed the issuing of the DSS for over
twelve years, though, it is not clear that this woidd have made much difference.
It is important to note that all activities of the Board except those dealing with
budgets and proprietary concerns must be held in open session. Under these cir-
cumstances, describing its proposed actions to the Board would be equivalent to the
government announcing its actions in public. 1 do believe that if tne government
wanted to it could make use of the proprietary information provisions to seek the
advise of the Board prior to announcing its policy decisions. It is apparent that the
government has chosen not to take this course in every announcement related to
cryptography.
Question 3. Many users prefer encryption software because it is more cost effective
than a hardware solution. So far, Clipper Chip has not been implemented in soft-
ware. NIST announced in February that it will try to establish cooperative partner-
ships with the software industry to develop key escrow software. You are a member
of NIST's Software Escrowed Working Group, which is examining the possibilities
for alternatives to Clipper Chip. Has any progress been made? If not, could you ex-
plain why?
Answer 3. I am a member of the NIST Software Escrow Encryption Working
Group and just this past week, I have made a proposal to NIST and NSA of an al-
ternative to Clipper key escrow that I believe provides as good a solution to the law
enforcement concerns while being implementable entirely in software, "rhis proposal
could provide a far more cost-effective solution to key escrow than Clipper. I made
this proposal in the interests of demonstrating that key escrow could be achieved
without secret encryption algorithms and mandatory hardware.
I must reiterate the major concern of my testimony before your hearing that gov-
ernment-imposed key escrow in any form, whether implemented in Clipper hard-
ware or in software, should not take place until it has been subjected to mil legisla-
tive review, passage of a law, signed by the President, and if necessary, determined
to be Constitutional by the Supreme Court.
My suggestion that at least one software key escrow approach is just as good as
that envisioned in Clipper is made as a technical suggestion for consideration by the
government in full recognition that the government may choose to impose this tech-
nique on the American people without the benefit of Congressional consideration.
I sincerely hope this does not happen.
Question 4. NIST has stated that "industry interest in developing secure software
based on key escrow encryption is minimal." Is that a correct assessment and, if so,
could you explain why?
Answer 4. The statement in quotes in this question is a complex statement that
must be treated in parts. I believe that industry is concerned about key escrow for
many reasons. Key escrow implemented in hardware using Clipper represents a sig-
nificant increase in the complexity and cost of their products. Even key escrow im-
plemented in software will complicate products whUe not adding to their market-
ability.
More importantly, I am convinced that industry has little interest in developing
key escrow encryption techniques, whether in hardware or software, for exactly the
same reason as most Americans citizens: they don't like it. If we as a people decide
that the benefits of key escrow are worth the risks to individual privacy, if we pass
150
legislation making key escrow legal under controlled circumstances, then I believe
most Americans and most of American industry will support its implementation in
computer and telephone products. Until then, I believe the opposition to key escrow
will continue. .
Question 5. In a speech last month at a telecommunications conference in Buenos
Aires, Vice President Gore described his vision for a global information network to
hnk the people of the world and provide a global information marketplace. How
would the electronic information flow between countries be affected if other coun-
tries will not let Clipper Chip in? , ^ ,
Answer 5. I have thought a great deal about the international aspects of key es-
crow, whether by Clipper or in software. I do not see any practical way in which
key escrow is ever going to work in a multinational setting. I believe that individual
governments may work out ways for sharing the results of law enforcement inter-
cepts in foreign countries. But I see no way that multinational companies will be
able to communicate with their customers and suppUers in foreign countries if each
government imposes its own form of key escrow. Vice President Gore's vision of a
global information marketplace will be impossible so long as the U.S. Government
or any other government feels key escrow is essential to their law enforcement in-
terests. If the U.S. persists in this, it may have a national information marketplace,
but it will be locked out of the international marketplace.
Question 6. We are market leaders in appUcations software and operating sys-
tems. Our world leadership in operating systems is dependant on integrating secu-
rity in internationally distributed systems. If overseas companies provide systems
based on algorithms without key escrow schemes that encrypt faster and more se-
curely, how will we compete internationally?
Answer 6. We are rapidly reaching the point where we cannot compete inter-
nationally in products that incorporate good quality security. Multinational compa-
nies are requiring such capabilities in the information systems they are buying, and
we are being locked out of those sales. And these are not just sales of encryption
products. They involve all aspects of word processing, spreadsheets, integrated office
products, database management systems, the very heart of our information system
industry. We are not able to compete in these security-conscious marketplaces, and
increasingly this will affect both our market share and our own abilities to protect
U.S. sensitive information. , . ,
Question 7. In your testimony you note that the Skipjack algorithm works fast
enough to encrypt phone and low speed computer communications but will not eas-
ily scale to meet the needs of high speed computer communications." Could you ex-
plain this limitation in the underlying algorithm for Clipper Chip?
Answer 7. This question has a complex answer that involves the way key escrow
will be used as well as its implementation in hardware.
First, the problem I was referring to is not a limitation of the Skipjack algorithm
but relates to the hardware technologies currently being used to implement Clipper
and Capstone. Some people have stated that the current versions will have to be
reimplemented to work at the higher speeds required by modem computer commu-
nications.
But the nature of key escrow of individual communications reqmres interaction
on a per-phone call or per-computer message basis. This is best done at the user
end of the communications links (the individual phones or computers originating the
communications). The present implementations of Clipper and Capstone are well-
suited to this use. , ,. , . J Jxl- J
There are other uses of cryptography that require much higher bandwidth and are
not amenable to individual key escrow. Bulk encryption of high bandwidth commu-
nications links requires very fast cryptography. The Skipjack algorithm could prob-
ably be implemented with much higher speed technology for such uses. But key es-
crow of individual phone calls or computer messages is not meaningful in high band-
width bulk encryption applications. „, •• i • i. -x u j
If the American people agree that we need key escrow. Skipjack, with its embed-
ded key escrow, will play a role in achieving that capability. But key escrow is not
the answer to all our cryptographic needs. We will also need cryptographic tech-
nologies that will operate at the same speeds as our highest bandwidth commumca-
tions. For these devices, key escrow makes no sense.
Question 8. The National Security Agency has stated that "many non-key escrow
encryption products have long been licensed for export * * * [and] * * * will continue
to be: Do you share this view that many American encryption products are freely
licGnsfid for GXiDort
Answer 8. There are many encryption products made in the U.S. with "weak"
cryptography that are approved for export from the U.S. The best example is the
so called %PA deal" of 1992 in which the government agreed to the export of prod-
151
ucts containing cryptography so long as the key length used was 40 bits or less (the
key length of the Data Encryption Standard is 56 bits).
Unfortunately, key lengths of 40 bits or less are, with today's technology, trivially
easy to defeat. When U.S. companies attempt to sell products based on 40-bit keys
to tiieir foreign customers who already have 56-bit DES products, they generally
fail.
As the use of good quality cryptography continues to grow, those U.S. products
that have weak crj^jtography (and are therefore approved for export) will lose any
market share that may now exist.
Question 9. The administration has stated that the Skipjack algorithm in the Clip-
per Chip must remain classified and only specially certified vendors will be given
access to it. By contrast, openly available devices, such as Intel-compatible
microprocessors, have seen dramatic gains, but only because everyone was free to
try to build a better version. Given uie restrictions on who can bviild Clipper de-
vices, do you have any concerns about how Clipper will keep up with advances in
semiconductor speed, power, capacity and integration?
Answer 9. This is a fundamental question at the core of technological advances
throughout our society. If the last twenty years have shown anything, it is that open
development of technologies that compete directly in the marketplace will be far
more successful than closed designs. This is true for personal computers and for
cryptographic devices.
Classified encryption algorithms that must be designed and implemented in closed
communities will never be able to compete with the open-market development of
products based on DES and similar public algorithms. Key escrow does not require
the use of classified algorithms; it will work equally well with DES or other popular
algorithms. If the Administration insists on a closed development and implementa-
tion process, it will relegate its key escrow ideas to a very small segment of the
oversdl market for cr5TJtography.
Question 10. The Administration has assured industry that the key escrow tech-
nology will be enhanced to keep pace with future data requirements. Are you aware
of anything the Administration is doing to develop key escrow technology that can
work with emerging high-speed communications technologies?
Answer 10. No, but I believe there are many techniques that can be used to at-
tempt to make key escrow work with high speed communications. See my answers
to questions 7 and 9.
Question 11. Every Clipper Chip has the same Family Key programmed into it.
This Family Key is used by law enforcement to decode an intercepted serial number,
or unique identifier, that is transmitted at the beginning of every encrjrpted con-
versation. The law enforcement agency presents this serial number to get the decod-
ing keys from the escrow agents. In the event that someone got unauthorized access
to the Chip Family Key, what could that person do with it? Do you have any con-
cerns about who will have access to the Chip Family Key?
Answer 11. If an unauthorized individual obtmned access to a device family key,
that individual could create a capability to track the users of any device in that fam-
ily, as was discussed in question 1. I believe that the procedures being established
for protection of family keys and device escrow keys are quite strong. But as was
pointed out by Senator Specter, it is not easy to keep a secret over a long period
of time.
Question 12. The Internet Privacy Enhanced Mail (PEM) is becoming an inter-
nationeilly recognized system for encrypting Electronic Mail over the Internet. If the
Administration is successful in making the key escrow chips an American standard
for encrypting electronic mail while the rest of the world uses PEM, how would this
affect encrypted E-mail traffic between the U.S. and other countries?
Answer 12. If key escrow were to become a mandatory standard in the U.S. while
the rest of the world continued to use Internet PEM, there would be very little
encrypted e-mail between the U.S. and the rest of the world.
Question 13. Is the demand for strong encryption technology growing and, if so,
why?
Answer 13. Concern for the protection of sensitive information from unauthorized
disclosure, modification or destruction is growing in all segments of the information
technology market, from individuals to large corporations and governments. The de-
mand for good quality cryptography will continue to grow until this concern can be
adequately addressed. This is a mndamental issue that the Administration's policies
of always siding with the law enforcement and national security interests continue
to ignore. People will find ways to protect their sensitive information even if they
have to buy encryption products from foreign sources.
152
Answers to Questions From the Senate Subcommittee on Technology and
The Law to Vice Admiral J.M. McConnell
Question 1. The Defense Authorization Bill for Fiscal Year 1994 has authorized
$800,000 to be spent by the National Research Council of the National Academy of
Sciences to conduct a study of federal encryption policy. Can we wait to implement
the key escrow encryption program until we have the benefit of the NRC's study?
Do you think this study is necessary? Should this study be expedited?
Answer 1. We do not believe that we can wait until after the NRC studjr is com-
pleted in 1996 to begin implementation of the key escrow initiative. The information
technology industry is dynamic and fast-moving, and to wait another two years or
more would, we beUeve, jeopardize the success of the initiative. Industry demand
for encryption products is growing, and the technology is available now to meet that
demand with encryption products that provide an outstanding level of seciuity to
the user without making it impossible for law enforcement agencies to conduct law-
fiil wiretaps. To wait for the completion of the NRC study would make it much more
likely that the market would tiun to other encryption products which would defeat
lawful wiretaps. We beUeve that such a delay would not be in the best interest of
the American people.
Neither do we believe that the study should be expedited. For our part, we will
carefully consider the conclusions of the NRC study. We expect that it will give very
careful consideration to the issues, and we would not want the pressure of an un-
necessarilv short deadline to limit the study group's abiUty to produce the best re-
port possible.
Question 2. The Administration has said that it is continuing to restrict export
of the most sophisticated encryption devices, in part, "because of the concerns of our
allies who fear that strong encryption technology would inhibit their law enforce-
ment capabilities." Do we really need to help our alUes by prohibiting the export
of strong American encryption products, since those same countries can simply con-
trol the encryption bought within their borders?
Answer 2. Exports of encryption products are subject to review primarily to pro-
tect U.S. national interests, including national security, law enforcement, foreign
poUcy, and other important interests. The law enforcement concerns of our aUies are
a consideration, especially as the abiUty of our allies to combat terrorism, drug traf-
ficking, and other international law enforcement problems can have direct benefits
to the United States. However, foreign law enforcement concerns do not drive our
export control policy. We would continue to review encryption exports to protect U.S.
national interests even if foreign law enforcement concerns disappeared.
Question 3. Do you know whether foreign governments would be interested in im-
porting key escrow encryption products to which they hold the decoding keys?
Answer 3. Several foreign governments have expressed interest in key escrow
encryption technology due to their own law enforcement concerns. There have been
some preliminary discussions, but issues such as who would hold the escrowed keys
and the circumstances of government access to escrowed keys must be fully vetted.
Question 4. Th6 Government wants the key escrow encryption standard to become
the de facto industry standard in the United States. Would the Government aban-
don the CUpper Chip program if it is shown to be unsuccessful beyond government
use?
Answer 4. We do not expect the program to be unsuccessful beyond government.
We have developed a sound security product that we expect will find many uses in
government information systems and further beUeve that government use will bring
with it a commercial market, particularly in the defense sector. We have developed
a sound security product that we expect will find many uses in government informa-
tion systems regardless of its success in commercial markets.
Question 5. Openly available devices, such as Intel-compatible microprocessors,
have seen dramatic gains, but only because everyone was free to try to build a bet-
ter version. Given the restrictions on who can build devices with the classified Skip-
jack algorithm, how will key escrow chips keep up with advances in semiconductor
speed, power, capacity and integration?
Answer 5. Despite the requirements that a firm must meet to produce key escrow
encryption chips, we expect that there will be a number of manufacturers competing
against each other to produce the best product, and that such competition will drive
them to keep up with the latest technological advances. It is worth noting that only
a few companies can produce the sophisticated microprocessors you reference, yet
the competition in that market has driven them to achieve remarkable advances in
that technology. NSA's STU-III secure telephone program provides an example of
a cryptographic product line that keeps pace with technology.
153
The presence of a classified algorithm does not preclude keeping pace with tech-
nology. Through NSA's use of a competitive, multi-vendor approach, STU-III secure
telephone products have continued to evolve in response to user requirements and
technologic^ advances despite their use of a classified encryption algorithm and the
consequent need for security restrictions on the manufactvu-ers.
Question 6. How well does the Skipjack algorithm work on telecommunications op-
erating at very high speeds? Is NSA working on another algorithm, called BATON,
that could be used at high speeds with a key escrow system? Will Capstone be com-
patible with BATON? , , ^ OT^TT,T*r.T^
Answer 6. Using currently available microelectromcs technology, the bKlfJACK
algorithm could not be used for encryption at very high speeds. BATON is the name
of an algorithm developed by NSA that could be used at higher rates of speed. We
have no plans to develop key escrow encryption devices using BATON, however. In-
stead, we are considering another algorithm for use at high speeds with a key es-
crow system. , u v otrrn T A nv
A high-speed key escrow device based on an algorithm other than SKIPJACK
would not be "compatible with Capstone" in the sense that traffic encrypted by such
a device could not be decrypted by Capstone, and vice versa. However, since such
a device would be used for much higher-speed applications than those for which
Capstone was designed, there would be no need tor it to be compatible with Cap-
stone in that sense.
Question 7. Can Capstone be used to encrypt video programming? If so, have cable
companies been approached by any government agency to use Capstone to scramble
or encrypt cable programs?
Answer 7. Capstone could be used to encrypt any digital signal, including video
programming, operating at up to about 10 million bits per second. It could be used
for encrypting individual video channels but not for bulk encryption of many chan-
nels multiplexed together in a single hnk. NSA is not aware of any government
agency approaching cable companies to urge the use of Capstone. Two manufactur-
ers have asked us about the suitabiHty of key escrow devices for this purpose, how-
ever.
Question 8. Encryption sofl;ware is available that can be used with Clipper to
encrypt a message before or after it has been encrypted with Clipper. This 'double
encrypting" risks bypassing the key escrow feature. If a sender first encrypts the
message with software using DES, and then transmits the message double
encrypted" with CUpper, can you tell fi-om looking at the cipher, or encrypted text,
that the underlying message was encrypted? .
Answer 8. The only way to tell that a message has been "double encrypted in
this way would be to decrypt the "outer layer" of encryption, i.e. that done with
Clipper. Only then would one be able to tell that the message had first been
encrypted with something else.
Answers to Questions From Senator Pressler to Vice Admiral J.M.
mcconnell
Question 1. Admiral as you are aware, critics of the Administration's proposal
argue that as a practical matter, no criminal, foreign spy, or terrorist of any sophis-
tication would be fooUsh enough to use an encryption device designed by the NSA
and approved by the FBI. How do you lespond? Why do[n't you] think the people
whose telecommunications the NSA and the FBI want most to decode will be the
very people most unlikely to use this technology?
Answer 1. From what we know today, the overriding requirement that spies, ter-
rorists, and criminals have is for readily available and easy to use equipment that
interoperates. Key escrow encryption is not meant to be a tool to catch criminals.
It will make excellent encryption available to legitimate businesses and private citi-
zens without allowing criminals to use the telecommunications system to plan and
commit crimes with impunity. We beheve it would be irresponsible for government
to make excellent encryption broadly available knowing that its use by criminals
would make it impossible for law enforcement agencies to conduct lawful wiretaps
against them.
The Department of Justice credits information gleaned through wiretaps as lead-
ing to more than 20,000 felony convictions since the early 1980s. This would not
have been possible if the criminals had been using encryption systems the FBI could
not break.
Without government action, however, this fortunate situation will change. At
present most people, and most criminals, don't use encryption. However, there is an
increasing public awareness of the value of encryption for protecting private per-
BOSTON PUBLIC LIBRARY
^^^ 3 9999 6'5982" 914 1
sonal and business communications. Increasing demand for encryption by the puDuc
will likely lead to the widespread use of some form of standardized encryption on
the pubUc telecommunications network. .
This development would have great benefits for the country. Legitimate busi-
nesses and private individuals could use the telecommunications system secure in
the knowle^e that their private information such as business records and credit
card numbers could not be intercepted by third parties.
But there is a down side. Criminals, terrorists, and others could also use the sys-
tem to plan crimes, launder money, and the hke, completely secure in the knowl-
edge that law enforcement agencies could not listen to those communications. Just
as legitimate businesses operate much more efficiently and effectively using the
telecommunications system than they could without it, so will criminal enterprises
be able to operate more efficiently and effectively if they no longer have to avoid
using the telecommunications system.
The United States is faced with a choice. We can sit back and watch as the emerg-
ing national information infrastructure becomes a valuable tool for criminals and
terrorists to use to plan and carry out their activities with complete securi^, or we
can take steps to maintain the current ability of government to conduct lawful wire-
taps so that prudent criminals will have to find other less efficient ways to operate
and foolish ones may be caught. Key escrow encryption is the latter option.
Question 2. Would widespread use of the Skipjack algorithm harm U.S. exports?
Do you think it is unlikely foreign businesses will purchase American encryption
technology if the U.S. Government holds a set of the decoding keys?
Answer 2. I do not believe that widespread use of key escrow encryption in the
United States will harm U.S. exports. If it has any effect at all, it could increase
exports somewhat. Key escrow encryption products provide another option for for-
eign purchasers that they have not had in the past; to the extent that foreigners
do purchase key escrow encryption products, it will mean an increase in exports.
Meanwhile, U.S. exporters are free to continue to sell the products they currently
sell in foreign markets and to seek license approvals for new products.
It is difficult to predict the foreign market for U.S. key escrow encryption tech-
nology. Businesses that fear U.S. Government interception of their communications
presumably would avoid products for which the U.S. Government holds keys. How-
ever, there are a number of reasons why foreign businesses might purchase them.
One major reason would be to communicate securely with U.S. businesses that use
them. In addition, the superior level of security provided by key escrow products
(against all but lawful U.S. Government access) may make them attractive to for-
eign businesses that do not view U.S. Government access as a major concern. While
some prospective users abroad may steer clear of key escrow products because the
United States will retain access, there may be many who beUeve they are unlikely
to be targeted by U.S. intelligence in any case or for whom the superior security
offered by key escrow encryption products against threats of greater concern may
make key escrow products an attractive option. For example, a distributor of pay-
TV programming may depend on encryption to ensure that only those viewers who
pay for the service can decrypt the TV signal. Such a distributor probably would
not be concerned about the threat of access by the United States Government, and
might favor suitable key escrow encryption products over competing products that
use weaker encryption algorithms.
Question 3. You were present when the previous panehst, Stephen Walker, de-
scribed how present U.S. laws prohibit his company from exporting encryption prod-
ucts. As I understand it. Senator Murray's bill, S. 1846, attempts to relax these ex-
port controls somewhat. Please give us your views on this legislation.
Answer 3. I support the Administration's position, as announced by the White
House on February 4, that current export controls must remain in place and that
regulatory changes should be implemented to speed exports and reduce the hcensing
burden on exporters. The bill you reference appears to be inconsistent with the Ad-
ministration position. I would be happy to provide you further information on the
Administration's reasons for maintaining the current export controls in an appro-
priate setting.
Answer to a Question From Senator Murray to Vice Admiral McConnell
Question 1. In my office in the Hart building this February, I downloaded from
the Internet an Austrian program that uses DES encryption. This was on a laptop
computer, using a modem over a phone Une. The Software PubUshers Association
says there are at least 120 DES or comparable programs worldwide. However, U.b.
export control laws prohibit American exporters from selling comparable DES pro-
155
grams abroad. With at least 20 million people hooked up to the Internet, how do
U.S. export controls actually prevent criminals, terrorists, or whoever from obtain-
ing DES encryption software?
Answer 1. Serious users of encryption do not entrust their secxuity to software
distributed via networks or bulletin boards. There is simply too much risk that vi-
ruses, Trojan Horses, programming errors, and other security flaws may exist in
such software which could not be detected by the user. Serious users of encryption,
those who depend on encryption to protect valuable data and cannot afford to take
such chances, instead turn to other sources in which they can have greater con-
fidence. Such serious users include not only entities which may threaten U.S. na-
tional secvirity interests, but also businesses and other major consumers of
encryption products. Encryption software distribution via Internet, bulletin board,
or modem does not undermine the effectiveness of encryption export controls.
\
ISBN 0-16-047780-8
9 780160"477805
90000
Live Music
Archive
Librivox
Free Audio
Metropolitan Museum
Cleveland
Museum of Art
Internet
Arcade
Console Living Room
Open Library
American
Libraries
TV News
Understanding
9/11